Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to download updates for Windows 10 on PC


  • Please log in to reply
50 replies to this topic

#1 byallmeans

byallmeans

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 26 December 2017 - 11:49 PM

Dear Sir or Madam,

 

We are unable to download updates for the Windows 10 on our PC. We follow the thread to update in the Windows Defender Security Center but it just remains downloading updates 0% before saying this: 

 

There were problems installing some updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help:

​1. 2017-11 Update for Windows 10 Version 1703 for x64-based Systems (KB4049011) - Error 0x800706be

2. 2017-12 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4053580) - Error 0x800706ba

3. 2017-12 Security Update for Adobe Flash Player for Windows 10 Version 1703 for x64-based Systems (KB4053577) - Error 0x800706ba

4. SAMSUNG Electronics Co., Ltd. - Other hardware - SAMSUNG Mobile MTP Device - Error 0x800706be

5. Update for Windows 10 Version 1703 for x64-based Systems

Your device is at risk because it’s out of date and missing important security and quality updates. Let’s get you back on track so Windows can run more securely. RETRY.

 

I looked for help and the advice is possible malware. So I followed your preparation guide and have the following from FRST.text:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by Sinsuat (administrator) on SINSUAT-PC (27-12-2017 12:27:44)
Running from C:\Users\Sinsuat\Desktop
Loaded Profiles: Sinsuat (Available Profiles: Sinsuat & postgres & Administrator & DefaultAppPool)
Platform: Windows 10 Home Version 1703 15063.296 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
() C:\Windows\jmesoft\Service.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(LeapFrog Enterprises, Inc.) D:\leapfrog\LeapFrog Connect\CommandService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
() C:\Program Files\GoPro\GoPro Desktop App\GoProDeviceDetection.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Windows\SysWOW64\UMonit.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Lenovo) C:\Windows\jmesoft\hotkey.exe
() C:\Windows\jmesoft\JME_LOAD.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe
(CyberLink) C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
() C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.12111.0_x64__8wekyb3d8bbwe\Video.UI.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-19] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11543656 2010-10-26] (Realtek Semiconductor)
HKLM\...\Run: [UMonit] => C:\windows\SysWOW64\UMonit.exe********************************************************************************************************************************* [49152 2011-05-25] ()
HKLM\...\Run: [IgfxTray] => "C:\WINDOWS\system32\igfxtray.exe"
HKLM\...\Run: [HotKeysCmds] => "C:\WINDOWS\system32\hkcmd.exe"
HKLM\...\Run: [Persistence] => "C:\WINDOWS\system32\igfxpers.exe"
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-11-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [jmekey] => C:\windows\jmesoft\hotkey.exe [118784 2011-06-09] (Lenovo)
HKLM-x32\...\Run: [jmesoft] => C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-03-16] ()
HKLM-x32\...\Run: [Lenovo Eye Distance System] => C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe [265216 2010-09-10] (Lenovo)
HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] => C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe [285696 2010-10-09] (Lenovo)
HKLM-x32\...\Run: [SetDefaultSCR] => C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe [102400 2009-12-31] (Lenovo)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe [103720 2009-12-05] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe [222504 2009-05-14] (CyberLink Corp.)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [Monitor] => D:\leapfrog\LeapFrog Connect\Monitor.exe [124536 2015-06-04] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [318128 2016-11-16] (Samsung Electronics Co., Ltd.)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{18e60748-8034-4fb5-880c-df74119c0c4a}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{d8e6fbca-880e-4d4d-b5d8-322bc8b7b8a0}: [DhcpNameServer] 192.168.1.1
Internet Explorer:
==================
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_91\bin\ssv.dll [2016-05-11] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-11] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-05-10] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-05-10] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FireFox:
========
FF ProfilePath: C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default [2017-12-26]
FF Extension: (YouTube mp3) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\info@youtube-mp3.org.xpi [2016-05-08] [Legacy]
FF Extension: (Looking Glass) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\pug.experience@shield.mozilla.org.xpi [2017-12-14] [Legacy]
FF Extension: (No Name) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi [2017-09-30]
FF Extension: (Video DownloadHelper) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2017-12-12]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_28_0_0_126.dll [2017-12-13] ()
FF Plugin: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-11] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-11] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_126.dll [2017-12-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-05-10] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-05-10] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> D:\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> D:\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> D:\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3712062798-2683279141-1189575495-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Sinsuat\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)
StartMenuInternet: FIREFOX.EXE - D:\firefox\firefox.exe
Chrome:
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Sinsuat\AppData\Local\Google\Chrome\User Data\Default [2017-12-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sinsuat\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Chrome Media Router) - C:\Users\Sinsuat\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-16]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
ATTENTION: => Could not perform signature verification. Cryptographic Service is not running.
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
R2 GoProDeviceDetectionService; C:\Program Files\GoPro\GoPro Desktop App\GoProDeviceDetection.exe [38328 2017-09-26] ()
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-16] ()
R2 LeapFrog Connect Device Service; D:\leapfrog\LeapFrog Connect\CommandService.exe [7406712 2015-06-04] (LeapFrog Enterprises, Inc.)
S2 postgresql-x64-9.5; C:\Program Files\PostgreSQL\9.5\bin\pg_ctl.exe [94208 2016-08-09] (PostgreSQL Global Development Group)
S2 SkypeUpdate; D:\skype\Updater\Updater.exe [317400 2017-02-27] (Skype Technologies)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-07-22] (DEVGURU Co., LTD.)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-08] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-08] (Microsoft Corporation)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R3 GeneStor; C:\WINDOWS\System32\drivers\GeneStor.sys [58368 2011-05-18] (GenesysLogic)
R1 MpKsl7df53988; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C23799E1-D752-4BE8-9DC7-6A5806AB11AF}\MpKsl7df53988.sys [58120 2017-12-25] (Microsoft Corporation)
R1 MpKsl847e357a; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C492F2D0-906F-4EBD-A989-6885EE79476A}\MpKsl847e357a.sys [58120 2017-12-27] (Microsoft Corporation)
S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-19] ()
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2017-12-08] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288848 2017-12-08] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-08] (Microsoft Corporation)
R0 WinI2C-DDC; C:\WINDOWS\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
R0 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [15712 2010-03-23] (Nicomsoft Ltd.)
U3 idsvc; no ImagePath
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-12-27 12:27 - 2017-12-27 12:29 - 000018208 _____ C:\Users\Sinsuat\Desktop\FRST.txt
2017-12-27 12:27 - 2017-12-27 12:27 - 000000000 ____D C:\FRST
2017-12-27 12:24 - 2017-12-27 12:25 - 002391552 _____ (Farbar) C:\Users\Sinsuat\Desktop\FRST64.exe
2017-12-27 12:00 - 2017-12-27 12:00 - 000000000 ____D C:\Program Files\Common Files\Apple
2017-12-27 09:59 - 2017-12-27 09:59 - 000000000 ___HD C:\OneDriveTemp
2017-12-26 16:03 - 2017-12-26 17:10 - 000000000 ____D C:\Users\Sinsuat\Desktop\BAMP cover photos
2017-12-26 09:34 - 2017-12-27 10:53 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2017-12-26 09:33 - 2017-12-26 09:33 - 000550924 _____ C:\WINDOWS\Minidump\122617-46781-01.dmp
2017-12-21 19:16 - 2017-12-21 20:23 - 000000000 ____D C:\Users\Sinsuat\Desktop\AES christmas
2017-12-15 16:43 - 2017-12-15 16:45 - 022427111 _____ C:\Users\Sinsuat\Downloads\video-1513323031.mp4
2017-12-15 16:43 - 2017-12-15 16:43 - 005604468 _____ C:\Users\Sinsuat\Downloads\video-1513322915.mp4
2017-12-14 18:07 - 2017-12-14 18:08 - 004879475 _____ C:\Users\Sinsuat\Downloads\forge-1.12.1-14.22.1.2478-installer-win.exe
2017-12-14 17:48 - 2017-12-14 17:49 - 004994654 _____ C:\Users\Sinsuat\Downloads\forge-1.12.2-14.23.1.2555-installer-win.exe
2017-12-14 12:29 - 2017-12-14 12:29 - 000000000 ___RD C:\Users\Sinsuat\3D Objects
2017-12-13 17:03 - 2017-12-13 17:04 - 000550836 _____ C:\WINDOWS\Minidump\121317-24140-01.dmp
2017-12-10 13:41 - 2017-12-10 13:41 - 000000000 ____D C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
2017-12-09 13:32 - 2017-12-09 13:32 - 000550956 _____ C:\WINDOWS\Minidump\120917-22781-01.dmp
2017-12-06 15:50 - 2017-12-06 15:50 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Sun
2017-12-06 15:50 - 2017-12-06 15:50 - 000000000 ____D C:\Users\Administrator\AppData\LocalLow\Sun
2017-12-06 15:50 - 2017-12-06 15:50 - 000000000 ____D C:\Users\Administrator\.oracle_jre_usage
2017-12-06 14:22 - 2017-12-06 14:22 - 000135127 _____ C:\Users\Sinsuat\Downloads\Statement (1).pdf
2017-12-06 14:21 - 2017-12-06 14:21 - 000110634 _____ C:\Users\Sinsuat\Downloads\Statement.pdf
2017-12-03 11:26 - 2017-12-03 11:41 - 000000000 ____D C:\Users\Sinsuat\Desktop\Boss Baby
2017-12-02 19:16 - 2017-12-02 19:16 - 000510100 _____ C:\WINDOWS\Minidump\120217-18046-01.dmp
2017-11-28 11:51 - 2017-11-28 11:52 - 000550972 _____ C:\WINDOWS\Minidump\112817-20531-01.dmp
2017-11-27 16:43 - 2017-11-27 16:43 - 000930961 _____ C:\Users\Sinsuat\Desktop\chapter-one.pdf
2017-11-27 16:42 - 2017-11-27 16:42 - 001787313 _____ C:\Users\Sinsuat\Desktop\philippines_health_system_review.pdf
2017-11-27 15:21 - 2017-11-27 15:22 - 019043826 _____ C:\Users\Sinsuat\Downloads\NHS-bed-occupancy-report-feb2017.pdf
2017-11-27 15:12 - 2017-11-27 15:12 - 000170743 _____ C:\Users\Sinsuat\Downloads\DP_LIVE_27112017081249042.csv
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-12-27 12:21 - 2017-05-23 18:17 - 000004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{29CC8ED9-4BF6-4606-9C9E-693AC51422EF}
2017-12-27 12:08 - 2017-03-19 04:51 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-12-27 12:07 - 2017-03-19 05:01 - 000000000 ____D C:\WINDOWS\INF
2017-12-27 12:00 - 2014-07-02 21:22 - 000000000 ____D C:\ProgramData\Apple
2017-12-27 11:40 - 2017-03-19 05:03 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-12-27 11:39 - 2017-11-24 06:09 - 000000000 ____D C:\Users\Administrator\AppData\Local\Packages
2017-12-27 11:10 - 2017-05-23 17:53 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2017-12-27 10:08 - 2017-05-23 17:59 - 000000000 ____D C:\Users\Sinsuat
2017-12-27 09:59 - 2016-04-19 17:44 - 000000000 ___RD C:\Users\Sinsuat\OneDrive
2017-12-26 20:47 - 2016-05-10 16:16 - 000001277 _____ C:\Users\Sinsuat\Desktop\nativelog.txt
2017-12-26 20:47 - 2016-05-10 16:05 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\.minecraft
2017-12-26 19:35 - 2017-01-18 08:03 - 000000000 ____D C:\Users\Sinsuat\AppData\LocalLow\Mozilla
2017-12-26 09:35 - 2017-11-24 17:28 - 000000000 ____D C:\Users\postgres
2017-12-26 09:34 - 2017-03-19 05:03 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2017-12-26 09:33 - 2017-06-05 19:51 - 000000000 ____D C:\WINDOWS\Minidump
2017-12-26 09:33 - 2017-05-23 18:17 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-12-25 13:28 - 2017-03-18 19:40 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2017-12-22 10:02 - 2014-09-13 15:00 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\SoftGrid Client
2017-12-21 18:54 - 2014-07-06 13:47 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\vlc
2017-12-19 13:21 - 2017-03-19 05:03 - 000000000 ___HD C:\Program Files\WindowsApps
2017-12-15 11:35 - 2012-03-02 23:45 - 000002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-14 15:21 - 2016-04-19 17:40 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\Packages
2017-12-13 17:50 - 2017-03-19 05:03 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-12-13 17:50 - 2017-03-19 05:03 - 000000000 ____D C:\WINDOWS\system32\Macromed
2017-12-13 17:42 - 2014-06-30 03:13 - 000000000 ____D C:\WINDOWS\system32\MRT
2017-12-13 17:39 - 2017-10-15 14:02 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-12-13 17:39 - 2014-06-30 03:13 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-12-12 17:54 - 2014-08-05 16:42 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\Mozilla
2017-12-10 13:35 - 2017-11-24 06:21 - 000003382 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3712062798-2683279141-1189575495-500
2017-12-10 13:35 - 2017-11-24 06:21 - 000002427 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-10 13:35 - 2017-11-24 06:19 - 000000000 ___RD C:\Users\Administrator\OneDrive
2017-12-08 14:14 - 2017-07-27 11:57 - 000003372 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3712062798-2683279141-1189575495-1001
2017-12-08 14:14 - 2016-04-19 17:44 - 000002413 _____ C:\Users\Sinsuat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-08 08:46 - 2017-02-09 18:40 - 000001290 _____ C:\Users\Sinsuat\Desktop\Roblox Studio.lnk
2017-12-08 08:46 - 2017-02-09 18:40 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2017-12-06 19:47 - 2014-06-28 22:07 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\VirtualStore
2017-12-06 15:50 - 2017-11-24 06:09 - 000000000 ____D C:\Users\Administrator
2017-12-03 11:37 - 2016-04-07 19:31 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\dvdcss
2017-11-30 16:00 - 2015-12-23 10:44 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
==================== Files in the root of some directories =======
2012-03-02 23:41 - 2012-03-02 23:41 - 001914000 _____ (Adobe Systems Incorporated) C:\ProgramData\flashax10.exe
2016-10-23 10:43 - 2016-10-23 10:43 - 000000017 _____ () C:\Users\Sinsuat\AppData\Local\resmon.resmoncfg
Some files in TEMP:
====================
2017-12-14 20:28 - 2017-12-14 20:28 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-2176543514838077014.dll
2017-12-14 18:05 - 2017-12-14 18:05 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-2552574934709909813.dll
2017-12-14 18:16 - 2017-12-14 18:16 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-491713502692584495.dll
2017-12-14 18:03 - 2017-12-14 18:03 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-6673708530472262918.dll
2017-12-14 17:57 - 2017-12-14 17:57 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-6945980185947693821.dll
2017-12-14 18:20 - 2017-12-14 18:20 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-712934044214497220.dll
2017-12-14 18:14 - 2017-12-14 18:14 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-8286517408946942649.dll
2017-12-07 14:17 - 2017-12-07 14:17 - 001856576 _____ (Oracle Corporation) C:\Users\Sinsuat\AppData\Local\Temp\jre-8u151-windows-au.exe
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe
[2017-05-24 09:48] - [2017-05-24 09:48] - 000707072 _____ (Microsoft Corporation) D0F1FB0E90BFBD14865B770E2567BE1D
C:\WINDOWS\system32\wininit.exe => MD5 is legit
C:\WINDOWS\explorer.exe
[2017-05-24 09:48] - [2017-05-24 09:48] - 004848440 _____ (Microsoft Corporation) 6314A1E16B2B6D2E0E3FE65C9BA7BD73
C:\WINDOWS\SysWOW64\explorer.exe
[2017-05-24 09:48] - [2017-05-24 09:48] - 004469832 _____ (Microsoft Corporation) 97FA9E2FD62081E635DDB7AF09121A20
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\SysWOW64\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\SysWOW64\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\SysWOW64\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll
[2017-05-24 09:48] - [2017-05-24 09:48] - 001085440 _____ (Microsoft Corporation) 0E79A4C76CAAA0CFE9CA42C13E5AA086
C:\WINDOWS\system32\dnsapi.dll => MD5 is legit
C:\WINDOWS\SysWOW64\dnsapi.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys
[2017-03-19 04:57] - [2017-03-19 04:57] - 000397216 _____ (Microsoft Corporation) E3429DBBEA3965BB96E24B16EF4A2551

LastRegBack: 2017-12-20 18:30
==================== End of FRST.txt ============================

 

and from Addition.text:

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Sinsuat (27-12-2017 12:30:11)
Running from C:\Users\Sinsuat\Desktop
Windows 10 Home Version 1703 15063.296 (X64) (2017-05-23 10:23:37)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================
Administrator (S-1-5-21-3712062798-2683279141-1189575495-500 - Administrator - Enabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-3712062798-2683279141-1189575495-503 - Limited - Disabled)
Guest (S-1-5-21-3712062798-2683279141-1189575495-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3712062798-2683279141-1189575495-1003 - Limited - Enabled)
postgres (S-1-5-21-3712062798-2683279141-1189575495-1005 - Limited - Enabled) => C:\Users\postgres
Sinsuat (S-1-5-21-3712062798-2683279141-1189575495-1001 - Administrator - Enabled) => C:\Users\Sinsuat
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.126 - Adobe Systems Incorporated)
AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
AMD Catalyst Install Manager (HKLM\...\{AD2C4469-ACD9-4E78-91DE-A6BF6459959A}) (Version: 3.0.842.0 - Advanced Micro Devices, Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Canon iP2700 series Printer Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2700_series) (Version:  - )
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version:  - )
Canon Solution Menu EX (HKLM-x32\...\CanonSolutionMenuEX) (Version:  - )
CanoScan LiDE 210 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_cnq4809) (Version:  - )
Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.4.12263.1 - Cisco Consumer Products LLC)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
DB Browser for SQLite (HKLM-x32\...\SqliteBrowser3) (Version: 3.4.0 - oldsch00l)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.0.2.1 - Genesys Logic)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.84 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{ECF2E224-42F5-4E50-B58E-94CA70E85697}) (Version: 7.3.0.3832 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1118 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Java 8 Update 91 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LeapFrog Connect (HKLM-x32\...\{5B0F473D-7E18-477F-99DC-3745D5A711E9}) (Version: 7.0.6.19846 - LeapFrog) Hidden
LeapFrog Connect (HKLM-x32\...\UPCShell) (Version: 7.0.6.19846 - LeapFrog)
LeapFrog LeapReader Plugin (HKLM-x32\...\{53136BA4-AEC5-4695-9A51-7C63B7F32E7C}) (Version: 7.0.6.19846 - LeapFrog) Hidden
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.4.11.0608 - Lenovo)
Lenovo Driver and Application Installation (HKLM-x32\...\{45970CD1-D599-47D4-938F-3E9800D54ED1}) (Version: 5.10.1809 - Lenovo)
Lenovo Dynamic Brightness System (HKLM-x32\...\{D9ED6D06-6002-495E-A7BC-46E6AE386996}) (Version: 4.0.00.22080 - Lenovo)
Lenovo Eye Distance System (HKLM-x32\...\{5183D7AB-D09B-411F-A74E-BBAEA61C6505}) (Version: 4.0.00.21090 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.) Hidden
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.)
Lenovo Rescue System (HKLM\...\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.) Hidden
Lenovo Rescue System (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.)
Lenovo Screensaver (HKLM-x32\...\{803E6DED-5050-4E3D-B26A-5915397362CD}) (Version: 1.0.5.110104 - Lenovo)
LVT (HKLM-x32\...\{D3063097-EC84-4D21-84A4-9D852E974355}) (Version: 4.1.2.0919 - Lenovo)
Mesh Runtime (HKLM-x32\...\{8C6D6116-B724-4810-8F2D-D047E6B7D68E}) (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Mozilla Firefox 31.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-GB)) (Version: 31.0 - Mozilla)
Mozilla Firefox 57.0 (x64 en-GB) (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\Mozilla Firefox 57.0 (x64 en-GB)) (Version: 57.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
Need for Speed™ Hot Pursuit (HKLM-x32\...\{83A606F5-BF6F-42ED-9F33-B9F74297CDED}) (Version: 1.0.0.0 - Electronic Arts)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
PostgreSQL 9.5  (HKLM\...\PostgreSQL 9.5) (Version: 9.5 - PostgreSQL Global Development Group)
Quik (HKLM\...\{D6D98E38-D75D-4E9C-916E-F68ED43A1F2F}) (Version: 0.1.290 - GoPro, Inc.) Hidden
Quik (HKLM-x32\...\{ed4c22dc-8424-496a-8732-a71d56b4b1cd}) (Version: 2.5.0.290 - GoPro, Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6230 - Realtek Semiconductor Corp.)
Roblox Player for Sinsuat (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - Roblox Corporation)
ROBLOX Studio for Sinsuat (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\{2922D6F1-2865-4EFA-97A9-94EEAB3AFA14}) (Version:  - ROBLOX Corporation)
Samsung Kies (HKLM-x32\...\{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.4.16113.3 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.4.16113.3 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (HKLM-x32\...\{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.16084.2 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies3 (HKLM-x32\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.16084.2 - Samsung Electronics Co., Ltd.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.61.0 - Samsung Electronics Co., Ltd.)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.33 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.33.105 - Skype Technologies S.A.)
Transformers Rise of the Dark Spark (HKLM-x32\...\Transformers Rise of the Dark Spark_is1) (Version: 1.0.0.0 - Activision)
Unity Web Player (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\UnityWebPlayer) (Version: 5.0.3f2 - Unity Technologies ApS)
Use the entry named LeapFrog Connect to uninstall (LeapFrog LeapReader Plugin) (HKLM-x32\...\LeapReaderPlugin) (Version:  - LeapFrog)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Windows 10 Update and Privacy Settings (HKLM\...\{293F2009-0145-450B-B4AA-063D43FB368C}) (Version: 1.0.13.0 - Microsoft Corporation)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-19] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-19] (Microsoft Corporation)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-19] (Microsoft Corporation)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2015-11-04] (Advanced Micro Devices, Inc.)
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0809EC5A-4E4D-4240-A68E-F837EE4491D6} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {0E893A81-D255-40F5-86E0-A55F92E34D2A} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {0EB8714F-FF88-4E88-9ED8-5022EB22BB0B} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {0F432E96-E0AA-452A-98F8-24D8FCB2F311} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {0F4596CB-DA76-4AD7-96F0-CD4846800D85} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {0FAB990D-AA25-4673-9594-1CA31A8826AB} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {1C318FCE-5646-45CA-89A4-E91EA7C0DFFC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {1CCDC358-13DE-4B3C-B07A-39010AEF2F7D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {26D226DF-5C1B-45C6-ABFD-41FDB73F5510} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {26D794D9-A253-407D-BC03-CA5960232718} - System32\Tasks\S-1-5-21-3712062798-2683279141-1189575495-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-03-19] (Microsoft Corporation)
Task: {309D248C-2B84-41AA-A82F-2354ADE5990A} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {35811291-D85E-4379-ACCE-D70C0DED39EA} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {471F1EB6-4364-4B5A-8010-AF0C6D1BF61D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5B5E53D6-CF56-436D-816E-CC7B72EEDDB9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {69F66B84-3346-4AE0-8FE7-65FD8AA5E4B2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {73737297-6991-4967-8723-86CCB0953FF8} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {7B816CAA-2BB7-4B14-902E-5C3A4018D9AC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8069869C-7166-4BAB-B3C6-2A40FDF107BC} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {80CE1719-DFC2-4F8D-A77F-3E23355F53A5} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {81757618-05FA-4B3C-A25A-4B2AD7E233EF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {84C154CB-D0FB-4BDC-BABE-5C1443C14BAC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-01] (Google Inc.)
Task: {86B849BB-0F3F-4CEC-87CA-32C109FC7D9D} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe
Task: {886623AE-AB68-47BE-9FCA-756759D696AA} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {8A8D66C3-1CDA-4349-B9D5-B3BABEE1C80D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {958D8EEF-2DDD-43BA-AE4F-2C2F430AB93F} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {9B2BB8DC-37D0-4D27-A13D-FECC5C8DF95C} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-12-13] (Adobe Systems Incorporated)
Task: {9D4610C9-BBC6-420D-B733-EBA6C97829E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {9DFB3703-D980-4AD9-A23C-4D5419B2DA07} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {A0C7CABC-83D8-489C-8A32-BC2123D0CF6F} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {A644ABBB-BABF-4A76-95E2-2FEA3B1E16E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {AFEB6689-2102-4A38-8D1E-A74CEDB202CF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-01] (Google Inc.)
Task: {AFEF37D8-E244-4B70-809E-959E70048DD8} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => C:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {B0741D0A-36CF-44C8-886F-345DF08A7184} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {B7909524-1129-4A7E-8C7E-126B4C0AA90E} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {B8B1409F-5A07-4C39-A95A-A64CF4957535} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {BF3AE510-DE7A-41EC-98ED-F94D9F3A4D8C} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {BFE6F55D-39C4-4AD9-9D7C-2E1D42514C8B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {C0CDB664-BE6A-4AE0-8E87-9D4D1E6DB74B} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {C146D59A-232E-4F59-BCAF-795BBB1277C6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {C54FA379-50F4-4B89-99FF-0CBB032A4DF2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {CA52AEE6-992F-436A-97E9-E5706180714C} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {CAF1515A-53CD-42C9-8CB5-F04EBC3A8E42} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {D315F9D9-5D8C-4BEE-834E-624B207EC613} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {E34F1157-850F-4A25-92DC-C2DD73EA7101} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {E68D3A09-FCD9-4567-9842-AF65614DD5A9} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {F24BEE43-72ED-4888-8146-12E1B2B7FE9B} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {F9B04097-600A-47FC-9B56-B8C3599A40C4} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============
2012-03-02 23:07 - 2011-03-16 12:47 - 000032768 _____ () C:\Windows\jmesoft\Service.exe
2017-11-24 17:27 - 2016-07-27 16:08 - 002264576 _____ () C:\Program Files\PostgreSQL\9.5\bin\libxml2.dll
2017-09-26 18:50 - 2017-09-26 18:50 - 000038328 _____ () C:\Program Files\GoPro\GoPro Desktop App\GoProDeviceDetection.exe
2017-03-19 04:58 - 2017-03-19 04:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-19 04:59 - 2017-03-19 10:31 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2012-03-02 23:08 - 2011-05-25 20:09 - 000049152 _____ () C:\Windows\SysWOW64\UMonit.exe
2012-03-02 23:07 - 2011-05-18 05:54 - 000024576 _____ () C:\Windows\jmesoft\JME_LOAD.exe
2017-12-06 14:15 - 2017-12-06 14:16 - 004698848 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 000477184 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2017-12-14 15:15 - 2017-12-14 15:21 - 058590720 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2017-10-01 08:26 - 2017-10-01 08:30 - 002523136 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\UnityEngineDelegates.dll
2017-11-14 11:52 - 2017-11-14 12:09 - 000164864 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\VideoPlugin.dll
2017-10-01 08:26 - 2017-10-01 08:28 - 000675328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\IPPNativePlugin.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 003727360 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\MediaEngineCSWrapper.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 002270720 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\TrackingDLLUWP.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 016395264 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\PhotosApp.Windows.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 003579904 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\MediaEngine.dll
2017-12-14 15:15 - 2017-12-14 15:19 - 003204096 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\AppCore.Windows.dll
2017-08-29 17:22 - 2017-08-29 17:22 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 000043520 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.Edit.Services.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 004038144 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.People.PeoplePicker.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 001367040 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.Controls.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 000214528 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\SKU.dll
2017-12-13 17:11 - 2017-12-13 17:12 - 026506240 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.12111.0_x64__8wekyb3d8bbwe\Video.UI.exe
2017-12-13 17:11 - 2017-12-13 17:12 - 008369664 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.12111.0_x64__8wekyb3d8bbwe\EntCommon.dll
2017-09-27 13:28 - 2017-09-27 13:29 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.12111.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-03-19 04:58 - 2017-03-19 04:58 - 000047616 _____ () C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUITelemetry.dll
2017-03-19 04:58 - 2017-03-19 04:58 - 002328576 _____ () C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIViewModels.dll
2017-03-19 04:58 - 2017-03-19 04:58 - 002836480 _____ () C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUIDataModel.dll
2017-12-08 14:13 - 2017-12-08 14:13 - 000102088 _____ () C:\Users\Sinsuat\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\UpdateRingSettings.dll
2012-03-02 23:07 - 2011-05-18 05:27 - 000028672 _____ () C:\Windows\jmesoft\hidhook.dll
2012-03-02 23:40 - 2010-09-10 03:19 - 000210432 _____ () C:\Program Files\Lenovo\Lenovo Eye Distance System\KeyStoneAdapter.dll
2012-03-02 23:40 - 2010-09-10 03:18 - 000211456 _____ () C:\Program Files\Lenovo\Lenovo Eye Distance System\VideoPlayer.dll
2012-03-02 23:40 - 2010-09-21 02:08 - 000210432 _____ () C:\Program Files\Lenovo\Lenovo Brightness System\KeyStoneAdapter.dll
2012-03-02 23:40 - 2010-09-21 10:55 - 000182272 _____ () C:\Program Files\Lenovo\Lenovo Brightness System\DDCHelperWraper.dll
2009-12-05 08:59 - 2009-12-05 08:59 - 000619816 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMediaLibrary.dll
2009-12-05 09:04 - 2009-12-05 09:04 - 000013096 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvcPS.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 10:34 - 2009-06-11 05:00 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts

==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img13.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Monitor"
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [UDP Query User{A7C6614E-CB54-48FC-8910-B26EA7942EAE}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [TCP Query User{D701D5E5-52EB-4421-AF39-45CE938478CA}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{CCC3E1D4-ED0C-4AB2-B137-2B755A9DCC4E}D:\vlc\vlc.exe] => (Allow) D:\vlc\vlc.exe
FirewallRules: [TCP Query User{20FCC5C2-5F71-4910-95D2-26497F4FCE2B}D:\vlc\vlc.exe] => (Allow) D:\vlc\vlc.exe
FirewallRules: [{84009C6B-F803-49B8-B814-5DBCCF0052DA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{53095523-EFFB-49EE-A22B-318871C5F816}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [UDP Query User{FE5ED642-49C7-49FB-8CCD-41B95DF32FEC}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [TCP Query User{6F0D0A53-F8E8-4A65-82C8-BF25B6D53626}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [{9682CC6E-54C8-48F2-AE91-7FA003E54B03}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{D8D30CF4-9A5D-4E14-9479-25677043104A}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{3FE2B457-1443-437D-93F9-6B49D196DDF5}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{9A17D3CE-B76A-4D24-9714-D5EF4B3E1D0B}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{62E8D04A-1C97-4A9A-828E-FBD7C4A51291}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{0F988BEA-E7F8-4646-BD0B-98BA22B875DB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{50CDC316-7C8D-4601-B901-0927163A18BF}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{77C7860A-03E6-45B2-A54C-6513403DEB94}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{701B640D-C230-439C-BC2C-8A52A1A03323}] => (Allow) D:\leapfrog\LeapFrog Connect\LeapfrogConnect.exe
FirewallRules: [UDP Query User{C08DBF6E-E39D-4230-A035-289E8E1CFD57}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [TCP Query User{2D4707B8-798C-4620-8104-23D083B4480C}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [UDP Query User{5A894639-A59E-4953-909B-B3D9026B276B}D:\d my documents\nfs11.exe] => (Block) D:\d my documents\nfs11.exe
FirewallRules: [TCP Query User{1640EC66-D6DA-47A3-BB1C-F6184A2D3B8E}D:\d my documents\nfs11.exe] => (Block) D:\d my documents\nfs11.exe
FirewallRules: [{30F04F13-DB3C-4B3D-8BB0-5AD059E21AFA}] => (Allow) D:\D my documents\Launcher.exe
FirewallRules: [{DC9FCA70-D5F4-43C3-A010-4050CE1129E8}] => (Allow) D:\D my documents\Launcher.exe
FirewallRules: [UDP Query User{CD89657D-FE66-471A-857D-FADDB745B4A4}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [TCP Query User{6C7E2FB5-36C2-48C8-8F0A-AADFCE228B5D}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [{BE8E5770-2A25-4A8F-B357-1F25F17F737C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{D5D24FEF-2725-4184-9549-662EE16CD9C6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{F6F31248-142F-45B0-8CA6-A1DA83E8293A}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7381FD8D-3607-4B82-841F-30730444DD00}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{145859B9-0C72-41F0-A02C-1B5D13C11092}] => (Allow) D:\skype\Phone\Skype.exe
FirewallRules: [{1FB079F7-9EB8-49AF-ADE1-32CE101D755E}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{7CDEC7C0-AAFB-4BA9-AB92-5266B1B15D72}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{848DCB7B-C005-44BC-8651-7FDB1E839EAA}] => (Allow) LPort=1900
FirewallRules: [{F4B81348-DDEB-4655-B30E-0E117B0E1A84}] => (Allow) LPort=2869
FirewallRules: [{1C7361DF-CF5C-4F47-8D6D-BAB38255FA1A}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [TCP Query User{FD273EFB-7F39-45C3-AAC7-5CF4F8EFCE1C}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [UDP Query User{3332C4EF-C98E-4034-B235-98791F0B88BC}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [TCP Query User{C959EC5B-87E7-44DD-98DF-B3F83767FD13}D:\firefox\firefox.exe] => (Allow) D:\firefox\firefox.exe
FirewallRules: [UDP Query User{2DFC10E7-AA8C-4B08-A67A-E61C59BA6086}D:\firefox\firefox.exe] => (Allow) D:\firefox\firefox.exe
FirewallRules: [{6B413557-4BF2-429E-85DC-C40C3F693208}] => (Block) D:\firefox\firefox.exe
FirewallRules: [{4682A11F-0244-428A-B282-6D976BDD8B8D}] => (Block) D:\firefox\firefox.exe
FirewallRules: [TCP Query User{0B256E1A-A3A9-497B-9478-21A90C12F919}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [UDP Query User{4D57B112-E968-43A7-BB05-1151E9B32E98}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [{58296D20-4257-4460-9767-416834E76A02}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoPro Quik.exe
FirewallRules: [{5521C995-05E1-41A6-8F51-E02044726D36}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoProMsgBus.exe
FirewallRules: [{7C9C1212-3D60-483C-AA6C-1D016F58FF63}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoProIDService.exe
FirewallRules: [{CA0CB563-3232-4941-B0B6-3A80EEFEEE23}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoProLauncher.exe
FirewallRules: [TCP Query User{73AEC0E8-50F7-453B-9DB9-5AA63463ED6E}C:\program files\openshot video editor\launch.exe] => (Allow) C:\program files\openshot video editor\launch.exe
FirewallRules: [UDP Query User{BC157CDA-67BF-4C92-BF60-DCFAE23A7003}C:\program files\openshot video editor\launch.exe] => (Allow) C:\program files\openshot video editor\launch.exe
FirewallRules: [{58879822-5C22-4605-8729-3E6AD7660643}] => (Block) C:\program files\openshot video editor\launch.exe
FirewallRules: [{422A08B9-F4E8-420C-89C3-BE4BDBE0E631}] => (Block) C:\program files\openshot video editor\launch.exe
FirewallRules: [{3B8BA633-8CB5-4F95-9452-96B3DC67FEDA}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\Resolve.exe
FirewallRules: [{BE845F0C-478E-4C5A-AFB6-1A3B8F04359E}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\bmdpaneld.exe
FirewallRules: [{41D9D613-BAB4-46AA-9550-0C86723A8C06}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DaVinciPanelDaemon.exe
FirewallRules: [{2B5DD3E4-CD79-4B9F-A1F3-B784B7881279}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\JLCooperPanelDaemon.exe
FirewallRules: [{5DDC62D2-5FAC-4857-AC5C-3306C8E6369C}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\EuphonixPanelDaemon.exe
FirewallRules: [{72B9210F-2D52-4A9F-8AB5-0B1869F37A74}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\TangentPanelDaemon.exe
FirewallRules: [{C1F3E45F-971B-44D4-A46B-6AD4BC4EC304}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe
FirewallRules: [{AB08A435-FE3A-4A54-8D20-82C2D5A147D2}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe
FirewallRules: [{D6DABDBF-8753-4B14-ABC6-50B2A057B840}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DPDecoder.exe
FirewallRules: [{9DAEB865-0707-4405-82E5-8438C5EE14B1}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe
FirewallRules: [TCP Query User{3D2B5BA6-0820-48BB-BD8C-7996448C7698}C:\program files\blackmagic design\davinci resolve\dpdecoder.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\dpdecoder.exe
FirewallRules: [UDP Query User{E9971126-376F-45D1-8D80-91D659860130}C:\program files\blackmagic design\davinci resolve\dpdecoder.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\dpdecoder.exe
FirewallRules: [TCP Query User{8160CF9C-D079-45D4-B311-28C7E2A84954}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\resolve.exe
FirewallRules: [UDP Query User{EC04F5D1-0810-4273-A9F5-EB43D7D37AA3}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\resolve.exe
FirewallRules: [{1886CCD4-6E56-40BA-A241-FEA3567D4C1C}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Restore Points =========================
ATTENTION: System Restore is disabled
==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================
Application errors:
==================
Error: (12/27/2017 12:26:36 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000102
Disk type: 3
Error: (12/27/2017 12:26:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.15063.0, time stamp: 0x02799ef5
Faulting module name: bcryptPrimitives.dll, version: 10.0.15063.0, time stamp: 0x3bbaa205
Exception code: 0xc0000006
Fault offset: 0x0000000000003ef7
Faulting process id: 0x314
Faulting application start time: 0x01d37ecae1dc4926
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: 2c7eca40-7861-4cc0-ae2e-357ed1e2d80b
Faulting package full name:
Faulting package-relative application ID:
Error: (12/27/2017 12:07:32 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000102
Disk type: 3
Error: (12/27/2017 12:07:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.15063.0, time stamp: 0x02799ef5
Faulting module name: bcryptPrimitives.dll, version: 10.0.15063.0, time stamp: 0x3bbaa205
Exception code: 0xc0000006
Fault offset: 0x0000000000003ef7
Faulting process id: 0x1d10
Faulting application start time: 0x01d37ec83747805b
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: 2dd5d688-df24-4432-888a-5c003a6b2b7b
Faulting package full name:
Faulting package-relative application ID:
Error: (12/27/2017 12:04:01 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000102
Disk type: 3
Error: (12/27/2017 12:04:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.15063.0, time stamp: 0x02799ef5
Faulting module name: bcryptPrimitives.dll, version: 10.0.15063.0, time stamp: 0x3bbaa205
Exception code: 0xc0000006
Fault offset: 0x0000000000003ef7
Faulting process id: 0x1ee8
Faulting application start time: 0x01d37ec7b9c6c3fd
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: 493f4759-2bf2-4b64-acb4-29b55d519c36
Faulting package full name:
Faulting package-relative application ID:
Error: (12/27/2017 12:00:56 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000102
Disk type: 3
Error: (12/27/2017 12:00:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.15063.0, time stamp: 0x02799ef5
Faulting module name: bcryptPrimitives.dll, version: 10.0.15063.0, time stamp: 0x3bbaa205
Exception code: 0xc0000006
Fault offset: 0x0000000000003ef7
Faulting process id: 0x2880
Faulting application start time: 0x01d37ec74b8fee8e
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: dba10d47-1911-4553-919d-2e033535ed67
Faulting package full name:
Faulting package-relative application ID:
Error: (12/27/2017 12:00:43 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
Additional Data
Error value: C0000102
Disk type: 3
Error: (12/27/2017 12:00:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.15063.0, time stamp: 0x02799ef5
Faulting module name: bcryptPrimitives.dll, version: 10.0.15063.0, time stamp: 0x3bbaa205
Exception code: 0xc0000006
Fault offset: 0x0000000000003ef7
Faulting process id: 0x72c
Faulting application start time: 0x01d37ec74439d041
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: 46dac623-d7e6-4712-a0c5-e724edfddb96
Faulting package full name:
Faulting package-relative application ID:

System errors:
=============
Error: (12/27/2017 12:26:46 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 50 time(s).
Error: (12/27/2017 12:08:24 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706ba: 2017-12 Security Update for Adobe Flash Player for Windows 10 Version 1703 for x64-based Systems (KB4053577).
Error: (12/27/2017 12:08:08 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Windows 10 Version 1703 for x64-based Systems (KB4033631).
Error: (12/27/2017 12:07:53 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706be: SAMSUNG Electronics Co., Ltd. - Other hardware - SAMSUNG Mobile MTP Device.
Error: (12/27/2017 12:07:42 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 49 time(s).
Error: (12/27/2017 12:04:11 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 48 time(s).
Error: (12/27/2017 12:01:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 47 time(s).
Error: (12/27/2017 12:00:53 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 46 time(s).
Error: (12/27/2017 12:00:40 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 45 time(s).
Error: (12/27/2017 12:00:21 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 44 time(s).

CodeIntegrity:
===================================
  Date: 2017-12-27 12:25:54.843
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-12-27 12:25:54.787
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-12-27 11:58:05.124
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-12-27 11:58:04.841
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-12-27 11:34:52.087
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Windows signing level requirements.
  Date: 2017-12-27 11:34:52.031
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Windows signing level requirements.
  Date: 2017-12-27 11:34:51.945
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Windows signing level requirements.
  Date: 2017-12-27 11:12:21.658
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-12-27 11:12:21.564
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-12-27 10:48:51.843
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

==================== Memory info ===========================
Processor: Intel® Core™ i5-2320 CPU @ 3.00GHz
Percentage of memory in use: 60%
Total physical RAM: 4078.45 MB
Available physical RAM: 1631.24 MB
Total Virtual: 8174.45 MB
Available Virtual: 4674.97 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:97.66 GB) (Free:13.45 GB) NTFS
Drive d: () (Fixed) (Total:342.93 GB) (Free:104.96 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 54BCC2DE)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=342.9 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=25.1 GB) - (Type=12)
==================== End of Addition.txt ============================

 

We would very much appreciate your support to see if there is any malware on the computer and find out why we can not download essential updates for Windows 10.

 

Many thanks. 

 



BC AdBot (Login to Remove)

 


#2 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 27 December 2017 - 06:31 AM

Hi,
 

Lets do some checking and then try to work on those Windows problems...

 

Install and Run a Malwarebytes scan

  • Please download Malwarebytes' Anti-Malware from here
  • Double Click the mb3-setup-{version}.exe MBAM2.jpg and follow the prompts to install the program
  • Then click Finish and wait for the program to load
  • Click Close on the 14-day Premium Trial pop-up
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu

(If another update of the definitions is available, it will be implemented before the rest of the scanning procedure)

  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart the computer when prompted to do so.
  • If the program didn't ask for a Reboot, Click on Export Summary and select Copy to Clipboard. Paste the content in your next reply

To retrieve the Malwarebytes Anti-Malware scan log information after Reboot

  • Run Malwarebytes again
  • on the left side menu Click on Reports
  • locate the event named Scan Report on the list with the most recent date
  • check the corresponding box and click View Report
  • Click the Export button and select Copy to Clipboard. Paste the content in your next reply

 

 

Did you disable System Restore?

 

Its important to have System Restore Enabled during the fixing process so please follow this guide:

http://www.thewindowsclub.com/system-restore-disabled-turn-on-system-restore-windows

to enable this feature.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#3 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 29 December 2017 - 07:57 PM

Hi SleepyDude,

 

Sorry it took a few days to get back to you again. Yesterday the malware wouldn't download. All completed now, but my computer didn't ask for a reboot after quarantining four threats. Here is the exported report:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 12/30/17
Scan Time: 8:27 AM
Log File: 480b434a-ecf8-11e7-8e96-4437e694adc8.json
Administrator: Yes
 
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3586
License: Trial
 
-System Information-
OS: Windows 10 (Build 16299.15)
CPU: x64
File System: NTFS
User: Sinsuat-PC\Sinsuat
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 414411
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 21 min, 23 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 3
PUP.Optional.FileViewPro, C:\Users\Sinsuat\AppData\Local\FileViewPro\FileViewPro.exe_Url_jn4xqozlzppxcht2yt2wvho2bxkp31wm\1.1.0.0, Quarantined, [777], [319819],1.0.3586
PUP.Optional.FileViewPro, C:\Users\Sinsuat\AppData\Local\FileViewPro\FileViewPro.exe_Url_jn4xqozlzppxcht2yt2wvho2bxkp31wm, Quarantined, [777], [319819],1.0.3586
PUP.Optional.FileViewPro, C:\USERS\SINSUAT\APPDATA\LOCAL\FILEVIEWPRO, Quarantined, [777], [319819],1.0.3586
 
File: 1
PUP.Optional.FileViewPro, C:\Users\Sinsuat\AppData\Local\FileViewPro\FileViewPro.exe_Url_jn4xqozlzppxcht2yt2wvho2bxkp31wm\1.1.0.0\user.config, Quarantined, [777], [319819],1.0.3586
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
I deleted the four quarantined threats. Can you let me know if i need to do anything else please. If there's nothing else, thank you very much for your help.


#4 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 30 December 2017 - 01:13 PM

Hi,

 

Thanks for the report.

 

» Check the Disk for Errors

  • open the Command Prompt as Administrator (Tutorial)
  • type the command:
    chkdsk /r /x C:
    Note: When it ask if you want to checked the volume next time the system restarts answer Yes
  • Restart the Computer and let the check run during boot. (The scan can take a long time depending on the size of the HDD, speed of the machine and errors found)

Next,

  • download ListChkdskResult
  • execute the file and accept all the windows prompts to authorize the program to run
  • Notepad will open with a report showing the chkdsk result
  • copy & paste the log to your reply

Edited by SleepyDude, 30 December 2017 - 01:17 PM.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#5 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 30 December 2017 - 09:45 PM

Hi SleepyDude,

 

Here is the report from the ListChkdskResult from Notepad:

 

ListChkdskResult by SleepyDude v0.1.7 Beta | 21-09-2013
 
------< Log generate on 31/12/2017 10:41:49 >------
Category: 0
Computer Name: Sinsuat-PC
Event Code: 1001
Record Number: 1857
Source Name: Microsoft-Windows-Wininit
Time Written: 12-31-2017 @ 02:31:57
Event Type: Information
User: 
Message: 
 
Checking file system on C:
The type of the file system is NTFS.
 
A disk check has been scheduled.
Windows will now check the disk.                         
 
Stage 1: Examining basic file system structure ...
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d130a for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x150fc is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x150FC.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12d0 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x1e0d1 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0D1.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12d3 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0d3 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0D3.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12d4 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x1e0e2 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0E2.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12d7 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0f2 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0F2.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12d9 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0f4 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0F4.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12db for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0f9 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0F9.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12dc for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e100 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E100.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12df for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e103 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E103.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12e1 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e105 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E105.
Attribute record of type 0xa0 and instance tag 0x3 is cross linked
starting at 0x2d12e3 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x3
in file 0x1e171 is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1E171.
Attribute record of type 0xa0 and instance tag 0x4 is cross linked
starting at 0x2d12e7 for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x4
in file 0x1e1ad is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1E1AD.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f0 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e6aa is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E6AA.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f6 for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1eb36 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1EB36.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f2 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1eb92 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1EB92.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12fb for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1eda9 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1EDA9.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12fe for possibly 0x5 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x1f331 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1F331.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d1306 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1f4c0 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1F4C0.
Attribute record of type 0x80 and instance tag 0x7 is cross linked
starting at 0x2d1307 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x7
in file 0x1f700 is already in use.
Deleting corrupt attribute record (0x80, WofCompressedData)
from file record segment 0x1F700.
Attribute record of type 0xa0 and instance tag 0x4 is cross linked
starting at 0x2d12e4 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x4
in file 0x1f72f is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1F72F.
Attribute record of type 0xa0 and instance tag 0x3 is cross linked
starting at 0x2d1309 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x3
in file 0x1f8c9 is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1F8C9.
Attribute record of type 0x20 and instance tag 0xf is cross linked
starting at 0x2d1314 for possibly 0x1 clusters.
Deleted corrupt attribute list for file 20032.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d131c for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x20096 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x20096.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d131e for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x2009c is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2009C.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d1325 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x203ca is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x203CA.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d1311 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x2ac94 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2AC94.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d1313 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x2ac95 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2AC95.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d1083 for possibly 0x29 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x2b455 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2B455.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f9 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x2fb32 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2FB32.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12fa for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x2fb4a is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2FB4A.
  462592 file records processed.                                                        
 
File verification completed.
Deleting orphan file record segment 21942.
Deleting orphan file record segment 21950.
Deleting orphan file record segment 2244B.
  11788 large file records processed.                                   
 
  0 bad file records processed.                                     
 
 
Stage 2: Examining file name linkage ...
The sparse flag in standard information attribute in file 0x16486
should not be set.
Correcting sparse file record segment 91270.
The sparse flag in standard information attribute in file 0x24f2f
should not be set.
Correcting sparse file record segment 151343.
The sparse flag in standard information attribute in file 0x4c968
should not be set.
Correcting sparse file record segment 313704.
  28433 reparse records processed.                                      
 
A downpointer (VCN 0x0) was found in index $I30 in file 0x1e171 but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1E171.
Recreating deleted index $I30 in file 1E171.
A downpointer (VCN 0x0) was found in index $I30 in file 0x1e1ad but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1E1AD.
Recreating deleted index $I30 in file 1E1AD.
A downpointer (VCN 0x0) was found in index $I30 in file 0x1f72f but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1F72F.
Recreating deleted index $I30 in file 1F72F.
A downpointer (VCN 0x0) was found in index $I30 in file 0x1f8c9 but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1F8C9.
Recreating deleted index $I30 in file 1F8C9.
Unable to locate the file name attribute of index entry bear_frosting_2.ogg
of index $I30 with parent 0x21933 in file 0x20032.
Deleting index entry bear_frosting_2.ogg in index $I30 of file 21933.
Unable to locate the file name attribute of index entry bear_frosting_3.ogg
of index $I30 with parent 0x21933 in file 0x20032.
Deleting index entry bear_frosting_3.ogg in index $I30 of file 21933.
Unable to locate the file name attribute of index entry bear_frosting_4.ogg
of index $I30 with parent 0x21933 in file 0x20032.
Deleting index entry bear_frosting_4.ogg in index $I30 of file 21933.
Unable to locate the file name attribute of index entry giant_bear_correct.ogg
of index $I30 with parent 0x21943 in file 0x20032.
Deleting index entry giant_bear_correct.ogg in index $I30 of file 21943.
Unable to locate the file name attribute of index entry giant_bear_correct_no_swoosh.ogg
of index $I30 with parent 0x21943 in file 0x20032.
Deleting index entry giant_bear_correct_no_swoosh.ogg in index $I30 of file 21943.
Unable to locate the file name attribute of index entry giant_bear_wrong.ogg
of index $I30 with parent 0x21943 in file 0x20032.
Deleting index entry giant_bear_wrong.ogg in index $I30 of file 21943.
  552352 index entries processed.                                                       
 
Index verification completed.
CHKDSK is scanning unindexed files for reconnect to their original directory.
Recovering orphaned file 786D61~1 (35) into directory file 1E1AD.
Recovering orphaned file 786D61F3-C550-49B5-B86A-FC460E7E393E (35) into directory file 1E1AD.
Recovering orphaned file D40A1F~1 (367) into directory file 1E1AD.
Recovering orphaned file D40A1F35-5715-47F6-84DA-74779922155B (367) into directory file 1E1AD.
Recovering orphaned file WIDEVI~1.SIG (10FC) into directory file 1F8C9.
Recovering orphaned file widevinecdm.dll.sig (10FC) into directory file 1F8C9.
Recovering orphaned file 9097DC~1 (1189) into directory file 1E1AD.
Recovering orphaned file 9097DC8E-FA33-476C-BA3E-3AC992F643CA (1189) into directory file 1E1AD.
Recovering orphaned file 37C453~1 (2A4E) into directory file 1E1AD.
Recovering orphaned file 37C453E6-A9B9-40B9-8877-2581195F5C5B (2A4E) into directory file 1E1AD.
Skipping further messages about recovering orphans.
  32 unindexed files scanned.                                        
 
  32 unindexed files recovered to original directory.
  0 unindexed files recovered to lost and found.                    
 
  28433 reparse records processed.                                      
 
 
Stage 3: Examining security descriptors ...
Cleaning up 8814 unused index entries from index $SII of file 0x9.
Cleaning up 8814 unused index entries from index $SDH of file 0x9.
Cleaning up 8814 unused security descriptors.
CHKDSK is compacting the security descriptor stream
Security descriptor verification completed.
Inserting data attribute into file 150FC.
Inserting data attribute into file 1E0D1.
Inserting data attribute into file 1E0D3.
Inserting data attribute into file 1E0E2.
Inserting data attribute into file 1E0F2.
Inserting data attribute into file 1E0F4.
Inserting data attribute into file 1E0F9.
Inserting data attribute into file 1E100.
Inserting data attribute into file 1E103.
Inserting data attribute into file 1E105.
Inserting data attribute into file 1E6AA.
Inserting data attribute into file 1EB36.
Inserting data attribute into file 1EB92.
Inserting data attribute into file 1EDA9.
Inserting data attribute into file 1F331.
Inserting data attribute into file 1F4C0.
Inserting data attribute into file 20032.
Inserting data attribute into file 20096.
Inserting data attribute into file 2009C.
Inserting data attribute into file 203CA.
Inserting data attribute into file 2AC94.
Inserting data attribute into file 2AC95.
Inserting data attribute into file 2B455.
Inserting data attribute into file 2FB32.
Inserting data attribute into file 2FB4A.
  44906 data files processed.                                           
 
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
 
Stage 4: Looking for bad clusters in user file data ...
  462576 files processed.                                                               
 
File data verification completed.
 
Stage 5: Looking for bad, free clusters ...
  3749242 free clusters processed.                                                       
 
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
 
Windows has made corrections to the file system.
No further action is required.
 
 102399999 KB total disk space.
  86687892 KB in 227238 files.
    178416 KB in 44880 indexes.
         0 KB in bad sectors.
    536723 KB in use by the system.
     65536 KB occupied by the log file.
  14996968 KB available on disk.
 
      4096 bytes in each allocation unit.
  25599999 total allocation units on disk.
   3749242 allocation units available on disk.
 
Internal Info:
00 0f 07 00 a9 26 04 00 c4 ac 07 00 00 00 00 00  .....&..........
ee 01 00 00 23 6d 00 00 00 00 00 00 00 00 00 00  ....#m..........
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
-----------------------------------------------------------------------
 
Advanced happy new year!


#6 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 05 January 2018 - 02:27 AM

Hi... i'm guessing you had a great new year, anyway there was no reply to my last message so i just wondered if everything should be sorted out now with regards malware... thank you very much for your time.



#7 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 05 January 2018 - 04:48 AM

Hi,
 
I'm very sorry, somehow I missed the e-mails notification when you updated your post!
 
Because chkdsk fixed several errors i would like you to run another scan this time it will run faster
 
» Check the Disk for Errors
  • open the Command Prompt as Administrator (Tutorial)
  • type the command:
    chkdsk /f /x C:
    Note: When it ask if you want to checked the volume next time the system restarts answer Yes
  • Restart the Computer and let the check run during boot.
After this run ListChkdskResult again to get the new log and copy & paste the result to the topic.
 
Note: The arguments for chkdsk are different from the other run make sure you copy & paste the command above.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#8 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 05 January 2018 - 07:35 AM

Hi SleepyDude,

 

No problem... Thanks for getting back to me. Here is the current LstChkDskResult: 

 

Category: 0
Computer Name: Sinsuat-PC
Event Code: 1001
Record Number: 3759
Source Name: Microsoft-Windows-Wininit
Time Written: 01-05-2018 @ 12:26:49
Event Type: Information
User: 
Message: 
 
Checking file system on C:
The type of the file system is NTFS.
 
 
A disk check has been scheduled.
Windows will now check the disk.                         
 
Stage 1: Examining basic file system structure ...
  462592 file records processed.                                                        
 
File verification completed.
  12063 large file records processed.                                   
 
  0 bad file records processed.                                     
 
 
Stage 2: Examining file name linkage ...
  27781 reparse records processed.                                      
 
  552436 index entries processed.                                                       
 
Index verification completed.
  0 unindexed files scanned.                                        
 
  0 unindexed files recovered to lost and found.                    
 
  27781 reparse records processed.                                      
 
 
Stage 3: Examining security descriptors ...
Cleaning up 108 unused index entries from index $SII of file 0x9.
Cleaning up 108 unused index entries from index $SDH of file 0x9.
Cleaning up 108 unused security descriptors.
Security descriptor verification completed.
  44923 data files processed.                                           
 
CHKDSK is verifying Usn Journal...
  34645312 USN bytes processed.                                                           
 
Usn Journal verification completed.
 
Windows has scanned the file system and found no problems.
No further action is required.
 
 102399999 KB total disk space.
  89406924 KB in 231687 files.
    181804 KB in 44924 indexes.
         0 KB in bad sectors.
    571031 KB in use by the system.
     65536 KB occupied by the log file.
  12240240 KB available on disk.
 
      4096 bytes in each allocation unit.
  25599999 total allocation units on disk.
   3060060 allocation units available on disk.
 
Internal Info:
00 0f 07 00 2a 38 04 00 56 cb 07 00 00 00 00 00  ....*8..V.......
53 02 00 00 32 6a 00 00 00 00 00 00 00 00 00 00  S...2j..........
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
-----------------------------------------------------------------------
Category: 0
Computer Name: Sinsuat-PC
Event Code: 1001
Record Number: 1857
Source Name: Microsoft-Windows-Wininit
Time Written: 12-31-2017 @ 02:31:57
Event Type: Information
User: 
Message: 
 
Checking file system on C:
The type of the file system is NTFS.
 
A disk check has been scheduled.
Windows will now check the disk.                         
 
Stage 1: Examining basic file system structure ...
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d130a for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x150fc is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x150FC.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12d0 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x1e0d1 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0D1.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12d3 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0d3 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0D3.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12d4 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x1e0e2 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0E2.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12d7 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0f2 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0F2.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12d9 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0f4 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0F4.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12db for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e0f9 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E0F9.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12dc for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e100 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E100.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12df for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e103 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E103.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12e1 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e105 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E105.
Attribute record of type 0xa0 and instance tag 0x3 is cross linked
starting at 0x2d12e3 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x3
in file 0x1e171 is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1E171.
Attribute record of type 0xa0 and instance tag 0x4 is cross linked
starting at 0x2d12e7 for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x4
in file 0x1e1ad is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1E1AD.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f0 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1e6aa is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1E6AA.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f6 for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1eb36 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1EB36.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f2 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1eb92 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1EB92.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12fb for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1eda9 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1EDA9.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12fe for possibly 0x5 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x1f331 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1F331.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d1306 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x1f4c0 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x1F4C0.
Attribute record of type 0x80 and instance tag 0x7 is cross linked
starting at 0x2d1307 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x7
in file 0x1f700 is already in use.
Deleting corrupt attribute record (0x80, WofCompressedData)
from file record segment 0x1F700.
Attribute record of type 0xa0 and instance tag 0x4 is cross linked
starting at 0x2d12e4 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x4
in file 0x1f72f is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1F72F.
Attribute record of type 0xa0 and instance tag 0x3 is cross linked
starting at 0x2d1309 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0xa0 and instance tag 0x3
in file 0x1f8c9 is already in use.
Deleting corrupt attribute record (0xA0, $I30)
from file record segment 0x1F8C9.
Attribute record of type 0x20 and instance tag 0xf is cross linked
starting at 0x2d1314 for possibly 0x1 clusters.
Deleted corrupt attribute list for file 20032.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d131c for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x20096 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x20096.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d131e for possibly 0x2 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x2009c is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2009C.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d1325 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x203ca is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x203CA.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d1311 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x2ac94 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2AC94.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d1313 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x2ac95 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2AC95.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d1083 for possibly 0x29 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x2b455 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2B455.
Attribute record of type 0x80 and instance tag 0x4 is cross linked
starting at 0x2d12f9 for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x4
in file 0x2fb32 is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2FB32.
Attribute record of type 0x80 and instance tag 0x3 is cross linked
starting at 0x2d12fa for possibly 0x1 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag 0x3
in file 0x2fb4a is already in use.
Deleting corrupt attribute record (0x80, "")
from file record segment 0x2FB4A.
  462592 file records processed.                                                        
 
File verification completed.
Deleting orphan file record segment 21942.
Deleting orphan file record segment 21950.
Deleting orphan file record segment 2244B.
  11788 large file records processed.                                   
 
  0 bad file records processed.                                     
 
 
Stage 2: Examining file name linkage ...
The sparse flag in standard information attribute in file 0x16486
should not be set.
Correcting sparse file record segment 91270.
The sparse flag in standard information attribute in file 0x24f2f
should not be set.
Correcting sparse file record segment 151343.
The sparse flag in standard information attribute in file 0x4c968
should not be set.
Correcting sparse file record segment 313704.
  28433 reparse records processed.                                      
 
A downpointer (VCN 0x0) was found in index $I30 in file 0x1e171 but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1E171.
Recreating deleted index $I30 in file 1E171.
A downpointer (VCN 0x0) was found in index $I30 in file 0x1e1ad but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1E1AD.
Recreating deleted index $I30 in file 1E1AD.
A downpointer (VCN 0x0) was found in index $I30 in file 0x1f72f but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1F72F.
Recreating deleted index $I30 in file 1F72F.
A downpointer (VCN 0x0) was found in index $I30 in file 0x1f8c9 but the index has no index allocation attribute.
Removing corrupt index $I30 in file 1F8C9.
Recreating deleted index $I30 in file 1F8C9.
Unable to locate the file name attribute of index entry bear_frosting_2.ogg
of index $I30 with parent 0x21933 in file 0x20032.
Deleting index entry bear_frosting_2.ogg in index $I30 of file 21933.
Unable to locate the file name attribute of index entry bear_frosting_3.ogg
of index $I30 with parent 0x21933 in file 0x20032.
Deleting index entry bear_frosting_3.ogg in index $I30 of file 21933.
Unable to locate the file name attribute of index entry bear_frosting_4.ogg
of index $I30 with parent 0x21933 in file 0x20032.
Deleting index entry bear_frosting_4.ogg in index $I30 of file 21933.
Unable to locate the file name attribute of index entry giant_bear_correct.ogg
of index $I30 with parent 0x21943 in file 0x20032.
Deleting index entry giant_bear_correct.ogg in index $I30 of file 21943.
Unable to locate the file name attribute of index entry giant_bear_correct_no_swoosh.ogg
of index $I30 with parent 0x21943 in file 0x20032.
Deleting index entry giant_bear_correct_no_swoosh.ogg in index $I30 of file 21943.
Unable to locate the file name attribute of index entry giant_bear_wrong.ogg
of index $I30 with parent 0x21943 in file 0x20032.
Deleting index entry giant_bear_wrong.ogg in index $I30 of file 21943.
  552352 index entries processed.                                                       
 
Index verification completed.
CHKDSK is scanning unindexed files for reconnect to their original directory.
Recovering orphaned file 786D61~1 (35) into directory file 1E1AD.
Recovering orphaned file 786D61F3-C550-49B5-B86A-FC460E7E393E (35) into directory file 1E1AD.
Recovering orphaned file D40A1F~1 (367) into directory file 1E1AD.
Recovering orphaned file D40A1F35-5715-47F6-84DA-74779922155B (367) into directory file 1E1AD.
Recovering orphaned file WIDEVI~1.SIG (10FC) into directory file 1F8C9.
Recovering orphaned file widevinecdm.dll.sig (10FC) into directory file 1F8C9.
Recovering orphaned file 9097DC~1 (1189) into directory file 1E1AD.
Recovering orphaned file 9097DC8E-FA33-476C-BA3E-3AC992F643CA (1189) into directory file 1E1AD.
Recovering orphaned file 37C453~1 (2A4E) into directory file 1E1AD.
Recovering orphaned file 37C453E6-A9B9-40B9-8877-2581195F5C5B (2A4E) into directory file 1E1AD.
Skipping further messages about recovering orphans.
  32 unindexed files scanned.                                        
 
  32 unindexed files recovered to original directory.
  0 unindexed files recovered to lost and found.                    
 
  28433 reparse records processed.                                      
 
 
Stage 3: Examining security descriptors ...
Cleaning up 8814 unused index entries from index $SII of file 0x9.
Cleaning up 8814 unused index entries from index $SDH of file 0x9.
Cleaning up 8814 unused security descriptors.
CHKDSK is compacting the security descriptor stream
Security descriptor verification completed.
Inserting data attribute into file 150FC.
Inserting data attribute into file 1E0D1.
Inserting data attribute into file 1E0D3.
Inserting data attribute into file 1E0E2.
Inserting data attribute into file 1E0F2.
Inserting data attribute into file 1E0F4.
Inserting data attribute into file 1E0F9.
Inserting data attribute into file 1E100.
Inserting data attribute into file 1E103.
Inserting data attribute into file 1E105.
Inserting data attribute into file 1E6AA.
Inserting data attribute into file 1EB36.
Inserting data attribute into file 1EB92.
Inserting data attribute into file 1EDA9.
Inserting data attribute into file 1F331.
Inserting data attribute into file 1F4C0.
Inserting data attribute into file 20032.
Inserting data attribute into file 20096.
Inserting data attribute into file 2009C.
Inserting data attribute into file 203CA.
Inserting data attribute into file 2AC94.
Inserting data attribute into file 2AC95.
Inserting data attribute into file 2B455.
Inserting data attribute into file 2FB32.
Inserting data attribute into file 2FB4A.
  44906 data files processed.                                           
 
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
 
Stage 4: Looking for bad clusters in user file data ...
  462576 files processed.                                                               
 
File data verification completed.
 
Stage 5: Looking for bad, free clusters ...
  3749242 free clusters processed.                                                       
 
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
 
Windows has made corrections to the file system.
No further action is required.
 
 102399999 KB total disk space.
  86687892 KB in 227238 files.
    178416 KB in 44880 indexes.
         0 KB in bad sectors.
    536723 KB in use by the system.
     65536 KB occupied by the log file.
  14996968 KB available on disk.
 
      4096 bytes in each allocation unit.
  25599999 total allocation units on disk.
   3749242 allocation units available on disk.
 
Internal Info:
00 0f 07 00 a9 26 04 00 c4 ac 07 00 00 00 00 00  .....&..........
ee 01 00 00 23 6d 00 00 00 00 00 00 00 00 00 00  ....#m..........
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
-----------------------------------------------------------------------
 
 
Many thanks!


#9 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 06 January 2018 - 07:46 AM

Hi,

 

Let's hope those file system errors stop from appearing...

 

Please run FRST again and wait, let the tool update to the latest version then click on the Scan button

 

Post the new FRST.txt and Addition.txt log


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#10 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 08 January 2018 - 12:40 AM

Hi SleepyDude,

 

I ran FRST again. Here is the new FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by Sinsuat (administrator) on SINSUAT-PC (08-01-2018 13:26:17)
Running from C:\Users\Sinsuat\Desktop
Loaded Profiles: Sinsuat & postgres (Available Profiles: Sinsuat & postgres & Administrator & DefaultAppPool)
Platform: Windows 10 Home Version 1709 16299.15 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
() C:\Windows\jmesoft\Service.exe
(DEVGURU Co., LTD.) C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\pg_ctl.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(LeapFrog Enterprises, Inc.) D:\leapfrog\LeapFrog Connect\CommandService.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(PostgreSQL Global Development Group) C:\Program Files\PostgreSQL\9.5\bin\postgres.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
() C:\Program Files\GoPro\GoPro Desktop App\GoProDeviceDetection.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Windows\SysWOW64\UMonit.exe
(Lenovo) C:\Windows\jmesoft\hotkey.exe
() C:\Windows\jmesoft\JME_LOAD.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe
(CyberLink) C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.257.0_x64__kzf8qxf38zg5c\SkypeHost.exe
() C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.13411.0_x64__8wekyb3d8bbwe\Video.UI.exe
() C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17086.24711.0_x64__8wekyb3d8bbwe\Music.UI.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11543656 2010-10-26] (Realtek Semiconductor)
HKLM\...\Run: [UMonit] => C:\windows\SysWOW64\UMonit.exe********************************************************************************************************************************* [49152 2011-05-25] ()
HKLM-x32\...\Run: [jmekey] => C:\windows\jmesoft\hotkey.exe [118784 2011-06-09] (Lenovo)
HKLM-x32\...\Run: [jmesoft] => C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-03-16] ()
HKLM-x32\...\Run: [Lenovo Eye Distance System] => C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe [265216 2010-09-10] (Lenovo)
HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] => C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe [285696 2010-10-09] (Lenovo)
HKLM-x32\...\Run: [SetDefaultSCR] => C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe [102400 2009-12-31] (Lenovo)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe [103720 2009-12-05] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe [222504 2009-05-14] (CyberLink Corp.)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [Monitor] => D:\leapfrog\LeapFrog Connect\Monitor.exe [124536 2015-06-04] (LeapFrog Enterprises, Inc.)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [318128 2016-11-16] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-11-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKU\S-1-5-21-3712062798-2683279141-1189575495-1005\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [519680 2017-09-29] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{18e60748-8034-4fb5-880c-df74119c0c4a}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{d8e6fbca-880e-4d4d-b5d8-322bc8b7b8a0}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_151\bin\ssv.dll [2017-12-27] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-12-27] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-12-27] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-12-27] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
 
FireFox:
========
FF ProfilePath: C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default [2018-01-08]
FF Extension: (YouTube mp3) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\info@youtube-mp3.org.xpi [2016-05-08] [Legacy]
FF Extension: (No Name) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\{b9acf540-acba-11e1-8ccb-001fd0e08bd4}.xpi [2017-09-30]
FF Extension: (Video DownloadHelper) - C:\Users\Sinsuat\AppData\Roaming\Mozilla\Firefox\Profiles\ujuvafdh.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2017-12-12]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_28_0_0_126.dll [2017-12-13] ()
FF Plugin: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-12-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-12-27] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_126.dll [2017-12-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-12-27] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-12-27] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> D:\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> D:\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> D:\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3712062798-2683279141-1189575495-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Sinsuat\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)
StartMenuInternet: FIREFOX.EXE - D:\firefox\firefox.exe
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxp://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Sinsuat\AppData\Local\Google\Chrome\User Data\Default [2018-01-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sinsuat\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Chrome Media Router) - C:\Users\Sinsuat\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-16]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ATTENTION: => Could not perform signature verification. Cryptographic Service is not running.
 
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
R2 GoProDeviceDetectionService; C:\Program Files\GoPro\GoPro Desktop App\GoProDeviceDetection.exe [38328 2017-09-26] ()
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-16] ()
R2 LeapFrog Connect Device Service; D:\leapfrog\LeapFrog Connect\CommandService.exe [7406712 2015-06-04] (LeapFrog Enterprises, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S2 SkypeUpdate; D:\skype\Updater\Updater.exe [317400 2017-02-27] (Skype Technologies)
R2 ss_conn_service; C:\Program Files (x86)\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-07-22] (DEVGURU Co., LTD.)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-08] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-08] (Microsoft Corporation)
R2 postgresql-x64-9.5; "C:\Program Files\PostgreSQL\9.5\bin\pg_ctl.exe" runservice -N "postgresql-x64-9.5" -D "C:\Program Files\PostgreSQL\9.5\data" -w
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R3 GeneStor; C:\WINDOWS\System32\drivers\GeneStor.sys [58368 2011-05-18] (GenesysLogic)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [193968 2017-12-30] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [110016 2018-01-07] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [46008 2018-01-07] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2018-01-07] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [94144 2018-01-08] (Malwarebytes)
R1 MpKsl04cb5fca; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7F353A8C-8DC8-46CE-B082-8682DA1E2654}\MpKsl04cb5fca.sys [58120 2018-01-06] (Microsoft Corporation)
R1 MpKsl607cb25a; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1EE3C591-D629-4017-8606-79652AE4F08F}\MpKsl607cb25a.sys [58120 2018-01-08] (Microsoft Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2017-12-08] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288848 2017-12-08] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-08] (Microsoft Corporation)
R0 WinI2C-DDC; C:\WINDOWS\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
R0 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [15712 2010-03-23] (Nicomsoft Ltd.)
U3 idsvc; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-08 13:24 - 2018-01-08 13:24 - 000000000 ____D C:\Users\Sinsuat\Desktop\FRST-OlderVersion
2018-01-08 11:38 - 2018-01-08 11:38 - 000000000 ___HD C:\OneDriveTemp
2018-01-07 09:28 - 2018-01-07 09:28 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-01-03 15:54 - 2018-01-03 15:54 - 001049223 _____ C:\Users\Sinsuat\Downloads\video-1514965833.mp4
2018-01-02 10:03 - 2018-01-06 19:34 - 000000000 ____D C:\WINDOWS\Minidump
2018-01-01 16:00 - 2018-01-01 16:06 - 000000000 ____D C:\Users\Sinsuat\Desktop\ice ice  baby
2018-01-01 11:15 - 2018-01-03 13:33 - 000000000 ____D C:\Users\Sinsuat\Desktop\new year 2018
2017-12-31 10:41 - 2018-01-05 20:30 - 000038276 _____ C:\Users\Sinsuat\Desktop\ListChkdskResult.txt
2017-12-31 10:40 - 2017-12-31 10:41 - 000197679 _____ C:\Users\Sinsuat\Downloads\ListChkdskResult.exe
2017-12-31 10:30 - 2017-12-31 10:30 - 000000072 ___SH C:\bootTel.dat
2017-12-30 16:06 - 2017-12-30 16:06 - 000000000 _____ C:\Users\Sinsuat\Desktop\~PIC877.tmp
2017-12-30 15:44 - 2017-12-30 15:44 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\{BA2AF806-56B8-41B4-841D-5D58DFFE88B4}
2017-12-30 08:41 - 2017-12-30 16:31 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\PlaceholderTileLogoFolder
2017-12-30 08:27 - 2018-01-08 11:43 - 000094144 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-12-30 08:27 - 2018-01-07 09:29 - 000253880 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-12-30 08:27 - 2018-01-07 09:29 - 000110016 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2017-12-30 08:27 - 2018-01-07 09:29 - 000046008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-12-30 08:27 - 2017-12-30 08:27 - 000193968 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2017-12-30 08:26 - 2017-12-30 08:26 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-30 08:26 - 2017-12-30 08:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-30 08:26 - 2017-12-30 08:26 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-30 08:26 - 2017-12-30 08:26 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-30 08:26 - 2017-11-29 09:11 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-12-30 08:22 - 2017-12-30 08:26 - 083316440 _____ (Malwarebytes ) C:\Users\Sinsuat\Downloads\mb3-setup-1878.1878-3.3.1.2183.exe
2017-12-29 11:38 - 2017-12-29 11:41 - 000000000 ____D C:\Users\Sinsuat\Desktop\Justice League
2017-12-28 16:14 - 2017-12-28 16:24 - 007005800 _____ (Malwarebytes ) C:\Users\Sinsuat\Downloads\Unconfirmed 207334.crdownload
2017-12-28 16:10 - 2018-01-05 14:46 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\obs-studio
2017-12-28 16:10 - 2017-12-28 16:10 - 000001279 _____ C:\Users\Public\Desktop\OBS Studio.lnk
2017-12-28 16:10 - 2017-12-28 16:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OBS Studio
2017-12-28 16:10 - 2017-12-28 16:10 - 000000000 ____D C:\Program Files (x86)\obs-studio
2017-12-28 16:00 - 2017-12-28 16:04 - 102779800 _____ (obsproject.com) C:\Users\Sinsuat\Downloads\OBS-Studio-20.1.3-Full-Installer.exe
2017-12-28 12:49 - 2018-01-06 20:39 - 000001277 _____ C:\Users\Sinsuat\Desktop\nativelog.txt
2017-12-28 11:50 - 2017-12-28 11:53 - 000000000 ____D C:\WINDOWS\system32\config\bbimigrate
2017-12-28 11:50 - 2017-12-28 11:50 - 000000000 ___DL C:\Users\Public\Recorded TV (1)
2017-12-28 11:50 - 2017-12-28 11:50 - 000000000 ____D C:\Program Files\Common Files\SpeechEngines
2017-12-28 11:48 - 2017-12-28 11:50 - 000000000 ____D C:\WINDOWS\ServiceProfiles
2017-12-28 11:48 - 2017-12-28 11:48 - 000008192 _____ C:\WINDOWS\system32\config\userdiff
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\WINDOWS\SysWOW64\BestPractices
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\WINDOWS\system32\msmq
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\WINDOWS\system32\BestPractices
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\Program Files\Reference Assemblies
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\Program Files\MSBuild
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\Program Files (x86)\MSBuild
2017-12-28 11:47 - 2017-12-28 11:47 - 000000000 ____D C:\inetpub
2017-12-28 11:46 - 2017-09-29 07:50 - 001166520 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationNative_v0300.dll
2017-12-28 11:46 - 2017-09-29 07:50 - 000124624 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2017-12-28 11:46 - 2017-09-29 07:50 - 000035456 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
2017-12-28 11:46 - 2017-09-23 10:19 - 000778936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationNative_v0300.dll
2017-12-28 11:46 - 2017-09-23 10:19 - 000103120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2017-12-28 11:46 - 2017-09-23 10:19 - 000035456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TsWpfWrp.exe
2017-12-28 11:44 - 2017-12-28 11:44 - 002510336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ResetEngine.dll
2017-12-28 11:44 - 2017-12-28 11:44 - 001160704 _____ (Microsoft Corporation) C:\WINDOWS\system32\reseteng.dll
2017-12-28 11:44 - 2017-12-28 11:44 - 000571288 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\spaceport.sys
2017-12-27 21:03 - 2017-12-27 21:02 - 000110144 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-64.dll
2017-12-27 20:35 - 2017-12-27 20:35 - 000000000 ____D C:\ProgramData\ATI
2017-12-27 20:34 - 2017-12-27 20:34 - 000000000 ____D C:\ProgramData\Microsoft OneDrive
2017-12-27 20:33 - 2017-12-27 20:33 - 000000000 ___HD C:\Users\Sinsuat\MicrosoftEdgeBackups
2017-12-27 20:31 - 2017-12-27 20:31 - 000000020 ___SH C:\Users\Sinsuat\ntuser.ini
2017-12-27 20:27 - 2018-01-08 11:41 - 000004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{29CC8ED9-4BF6-4606-9C9E-693AC51422EF}
2017-12-27 20:27 - 2018-01-07 09:28 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-12-27 20:27 - 2017-12-27 20:28 - 000019053 _____ C:\WINDOWS\diagwrn.xml
2017-12-27 20:27 - 2017-12-27 20:28 - 000019053 _____ C:\WINDOWS\diagerr.xml
2017-12-27 20:27 - 2017-12-27 20:27 - 000003482 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2017-12-27 20:27 - 2017-12-27 20:27 - 000003344 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-12-27 20:27 - 2017-12-27 20:27 - 000003322 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-12-27 20:27 - 2017-12-27 20:27 - 000003120 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-12-27 20:27 - 2017-12-27 20:27 - 000002860 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3712062798-2683279141-1189575495-1001
2017-12-27 20:27 - 2017-12-27 20:27 - 000002856 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-3712062798-2683279141-1189575495-500
2017-12-27 20:27 - 2017-12-27 20:27 - 000000000 ____D C:\WINDOWS\System32\Tasks\WPD
2017-12-27 20:27 - 2017-12-27 20:27 - 000000000 ____D C:\WINDOWS\System32\Tasks\S-1-5-21-3712062798-2683279141-1189575495-1001
2017-12-27 20:27 - 2017-12-27 20:27 - 000000000 ____D C:\WINDOWS\System32\Tasks\OfficeSoftwareProtectionPlatform
2017-12-27 20:16 - 2017-12-27 20:16 - 000000020 ___SH C:\Users\postgres\ntuser.ini
2017-12-27 20:11 - 2017-12-27 20:11 - 000001519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-12-27 20:08 - 2017-12-30 16:31 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\Packages
2017-12-27 20:08 - 2017-12-27 20:08 - 000000000 ____D C:\ProgramData\USOShared
2017-12-27 20:06 - 2018-01-06 21:04 - 000000000 ____D C:\Users\Sinsuat
2017-12-27 20:06 - 2018-01-06 19:18 - 000000000 ____D C:\Users\postgres
2017-12-27 20:06 - 2017-12-27 20:26 - 000000000 ____D C:\Users\DefaultAppPool
2017-12-27 20:06 - 2017-12-27 20:20 - 000000000 ____D C:\Users\Administrator
2017-12-27 20:06 - 2017-12-27 20:07 - 000000000 ____D C:\Users\Administrator\AppData\Local\Packages
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\postgres\AppData\Roaming\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\postgres\AppData\Local\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\DefaultAppPool\AppData\Roaming\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\DefaultAppPool\AppData\Local\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\ATI
2017-12-27 20:06 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Administrator\AppData\Local\ATI
2017-12-27 20:01 - 2018-01-07 09:32 - 001111166 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-27 20:01 - 2017-12-27 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2017-12-27 20:01 - 2017-12-27 20:01 - 000000000 ____D C:\Program Files\ATI Technologies
2017-12-27 20:00 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Default\AppData\Roaming\ATI
2017-12-27 20:00 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Default\AppData\Local\ATI
2017-12-27 20:00 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Default User\AppData\Roaming\ATI
2017-12-27 20:00 - 2017-12-27 20:00 - 000000000 ____D C:\Users\Default User\AppData\Local\ATI
2017-12-27 20:00 - 2017-09-29 21:41 - 002241024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2017-12-27 19:57 - 2018-01-08 13:21 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2017-12-27 19:57 - 2017-12-27 20:16 - 000243552 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-27 16:40 - 2017-12-27 20:32 - 000000000 ___DC C:\WINDOWS\Panther
2017-12-27 12:53 - 2017-12-27 16:40 - 000000000 ____D C:\ESD
2017-12-27 12:30 - 2017-12-27 12:31 - 000056500 _____ C:\Users\Sinsuat\Desktop\Addition.txt
2017-12-27 12:27 - 2018-01-08 13:28 - 000018339 _____ C:\Users\Sinsuat\Desktop\FRST.txt
2017-12-27 12:27 - 2018-01-08 13:26 - 000000000 ____D C:\FRST
2017-12-27 12:24 - 2018-01-08 13:24 - 002393088 _____ (Farbar) C:\Users\Sinsuat\Desktop\FRST64.exe
2017-12-27 12:00 - 2017-12-27 12:00 - 000000000 ____D C:\Program Files\Common Files\Apple
2017-12-26 16:03 - 2017-12-27 13:53 - 000000000 ____D C:\Users\Sinsuat\Desktop\BAMP photos
2017-12-21 19:16 - 2017-12-27 13:53 - 000000000 ____D C:\Users\Sinsuat\Desktop\AES christmas
2017-12-15 16:43 - 2017-12-15 16:45 - 022427111 _____ C:\Users\Sinsuat\Downloads\video-1513323031.mp4
2017-12-15 16:43 - 2017-12-15 16:43 - 005604468 _____ C:\Users\Sinsuat\Downloads\video-1513322915.mp4
2017-12-14 18:07 - 2017-12-14 18:08 - 004879475 _____ C:\Users\Sinsuat\Downloads\forge-1.12.1-14.22.1.2478-installer-win.exe
2017-12-14 17:48 - 2017-12-14 17:49 - 004994654 _____ C:\Users\Sinsuat\Downloads\forge-1.12.2-14.23.1.2555-installer-win.exe
2017-12-14 12:29 - 2017-12-27 20:32 - 000000000 ___RD C:\Users\Sinsuat\3D Objects
2017-12-10 13:41 - 2017-12-10 13:41 - 000000000 ____D C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-08 11:58 - 2017-01-18 08:03 - 000000000 ____D C:\Users\Sinsuat\AppData\LocalLow\Mozilla
2018-01-08 11:47 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-01-08 11:46 - 2017-09-29 21:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-01-08 11:38 - 2016-04-19 17:44 - 000000000 ___RD C:\Users\Sinsuat\OneDrive
2018-01-07 09:30 - 2017-09-29 21:44 - 000000000 ____D C:\WINDOWS\INF
2018-01-07 09:27 - 2017-09-29 16:45 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-01-06 20:37 - 2016-05-10 16:05 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\.minecraft
2018-01-06 19:11 - 2014-09-13 15:00 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\SoftGrid Client
2018-01-06 14:13 - 2014-07-06 13:47 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\vlc
2018-01-06 09:09 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-01-05 11:28 - 2017-09-29 21:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-01-05 11:25 - 2017-02-09 18:40 - 000001290 _____ C:\Users\Sinsuat\Desktop\Roblox Studio.lnk
2018-01-05 11:25 - 2017-02-09 18:40 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2018-01-01 10:07 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\rescache
2017-12-30 09:05 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2017-12-29 11:40 - 2016-04-07 19:31 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\dvdcss
2017-12-28 13:06 - 2016-12-19 09:31 - 000000000 ____D C:\Users\Sinsuat\Desktop\old minecraft mods
2017-12-28 11:56 - 2017-09-29 21:46 - 000028672 _____ C:\WINDOWS\system32\config\BCD-Template
2017-12-28 11:53 - 2017-11-24 17:27 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PostgreSQL 9.5
2017-12-28 11:53 - 2017-11-24 14:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GoPro
2017-12-28 11:53 - 2017-09-29 21:49 - 000000000 ____D C:\WINDOWS\Setup
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 __SHD C:\Program Files\Windows Sidebar
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 __SHD C:\Program Files (x86)\Windows Sidebar
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 __RHD C:\Users\Public\Libraries
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\SysWOW64\IME
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\WinBioDatabase
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\spool
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\NDF
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\Macromed
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\IME
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\schemas
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\ModemLogs
2017-12-28 11:53 - 2017-09-29 21:46 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2017-12-28 11:53 - 2017-05-18 07:01 - 000000000 ____D C:\Program Files\UNP
2017-12-28 11:53 - 2017-03-30 14:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2017-12-28 11:53 - 2017-03-19 05:03 - 000000000 ____D C:\WINDOWS\system32\Tasks_Migrated
2017-12-28 11:53 - 2016-05-10 15:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Minecraft
2017-12-28 11:53 - 2015-06-24 17:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LeapFrog Connect
2017-12-28 11:53 - 2015-02-22 16:24 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Transformers Rise of the Dark Spark
2017-12-28 11:53 - 2014-09-13 17:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)
2017-12-28 11:53 - 2014-07-06 13:46 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2017-12-28 11:53 - 2014-06-30 20:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon CanoScan LiDE 210 Manual
2017-12-28 11:53 - 2014-06-30 03:13 - 000000000 ____D C:\WINDOWS\system32\MRT
2017-12-28 11:53 - 2014-06-29 11:40 - 000000000 ___HD C:\WINDOWS\system32\CanonIJ Uninstaller Information
2017-12-28 11:53 - 2014-06-29 11:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CanoScan LiDE 210
2017-12-28 11:53 - 2014-06-29 02:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-12-28 11:53 - 2012-03-02 23:44 - 000000000 ____D C:\WINDOWS\en
2017-12-28 11:53 - 2012-03-02 23:44 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
2017-12-28 11:53 - 2012-03-02 23:03 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-28 11:53 - 2009-07-14 13:32 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2017-12-28 11:50 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\oobe
2017-12-28 11:50 - 2017-05-23 17:56 - 000000000 ____D C:\Program Files\Realtek
2017-12-28 11:50 - 2017-05-23 17:56 - 000000000 ____D C:\Program Files\Common Files\ATI Technologies
2017-12-28 11:50 - 2017-05-23 17:56 - 000000000 ____D C:\Program Files\AMD
2017-12-28 11:50 - 2017-02-11 08:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
2017-12-28 11:50 - 2014-06-30 20:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
2017-12-28 11:50 - 2009-07-14 13:32 - 000000000 ____D C:\Program Files\Microsoft Games
2017-12-28 11:47 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\inetsrv
2017-12-28 11:47 - 2017-09-29 21:43 - 000096256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqoa.tlb
2017-12-28 11:47 - 2017-09-29 21:43 - 000090624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqoa30.tlb
2017-12-28 11:47 - 2017-09-29 21:43 - 000055296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqoa20.tlb
2017-12-28 11:47 - 2017-09-29 21:43 - 000036864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqoa10.tlb
2017-12-28 11:47 - 2017-09-29 21:41 - 000422912 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2017-12-28 11:46 - 2017-09-29 21:43 - 000613376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqsnap.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000562176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqutil.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000261632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqoa.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000204288 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisRtl.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000172032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iisRtl.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000156160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqrt.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000052736 _____ (Microsoft Corporation) C:\WINDOWS\system32\ahadmin.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\admwprox.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000026112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ahadmin.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000016896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iisreset.exe
2017-12-28 11:46 - 2017-09-29 21:43 - 000014848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mqcertui.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000014336 _____ (Microsoft Corporation) C:\WINDOWS\system32\cngkeyhelper.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000011264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wamregps.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000011264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cngkeyhelper.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000010240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iisrstap.dll
2017-12-28 11:46 - 2017-09-29 21:43 - 000009096 _____ C:\WINDOWS\SysWOW64\msmqtrc.mof
2017-12-28 11:46 - 2017-09-29 21:42 - 000054272 _____ (Microsoft Corporation) C:\WINDOWS\system32\admwprox.dll
2017-12-28 11:46 - 2017-09-29 21:42 - 000018944 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisreset.exe
2017-12-28 11:46 - 2017-09-29 21:42 - 000015360 _____ (Microsoft Corporation) C:\WINDOWS\system32\wamregps.dll
2017-12-28 11:46 - 2017-09-29 21:42 - 000013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\iisrstap.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 001381888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqqm.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000776192 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqsnap.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000564224 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqutil.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000306688 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqoa.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000222720 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqrt.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000176128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mqac.sys
2017-12-28 11:46 - 2017-09-29 21:41 - 000125952 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqlogmgr.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000096256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqoa.tlb
2017-12-28 11:46 - 2017-09-29 21:41 - 000090624 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqoa30.tlb
2017-12-28 11:46 - 2017-09-29 21:41 - 000055296 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqoa20.tlb
2017-12-28 11:46 - 2017-09-29 21:41 - 000053248 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqbkup.exe
2017-12-28 11:46 - 2017-09-29 21:41 - 000036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqoa10.tlb
2017-12-28 11:46 - 2017-09-29 21:41 - 000026112 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqsvc.exe
2017-12-28 11:46 - 2017-09-29 21:41 - 000017408 _____ (Microsoft Corporation) C:\WINDOWS\system32\mqcertui.dll
2017-12-28 11:46 - 2017-09-29 21:41 - 000009096 _____ C:\WINDOWS\system32\msmqtrc.mof
2017-12-28 11:45 - 2017-09-29 22:42 - 000000000 ____D C:\WINDOWS\OCR
2017-12-28 11:45 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\system32\en-GB
2017-12-28 11:32 - 2016-09-24 09:34 - 000000000 ____H C:\$WINRE_BACKUP_PARTITION.MARKER
2017-12-28 03:51 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\appcompat
2017-12-27 21:03 - 2016-05-11 14:06 - 000000000 ____D C:\Program Files\Java
2017-12-27 21:03 - 2016-05-10 12:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-12-27 21:03 - 2016-05-10 12:05 - 000000000 ____D C:\Program Files (x86)\Java
2017-12-27 21:03 - 2016-05-08 16:29 - 000000000 ____D C:\ProgramData\Oracle
2017-12-27 21:02 - 2016-05-11 14:06 - 000110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2017-12-27 21:02 - 2016-05-10 12:05 - 000097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2017-12-27 20:34 - 2016-09-23 18:29 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\ConnectedDevicesPlatform
2017-12-27 20:32 - 2016-04-19 17:40 - 000000000 ____D C:\Users\Sinsuat\AppData\Local\TileDataLayer
2017-12-27 20:32 - 2016-02-13 21:20 - 000000000 __RHD C:\Users\Public\AccountPictures
2017-12-27 20:29 - 2017-09-29 16:45 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2017-12-27 20:27 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\Registration
2017-12-27 20:27 - 2016-04-19 17:27 - 000022840 _____ C:\WINDOWS\system32\emptyregdb.dat
2017-12-27 20:26 - 2017-09-29 21:46 - 000000000 __RSD C:\WINDOWS\media
2017-12-27 20:19 - 2012-03-02 23:45 - 000002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-27 20:11 - 2017-09-29 21:46 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2017-12-27 20:10 - 2017-09-29 21:46 - 000000000 ____D C:\WINDOWS\SysWOW64\inetsrv
2017-12-27 20:10 - 2016-09-23 18:11 - 000000000 ____D C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-27 20:10 - 2016-09-23 18:11 - 000000000 ____D C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-27 20:10 - 2016-05-27 14:48 - 000000000 ____D C:\Users\DefaultAppPool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-27 20:09 - 2014-06-28 22:07 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-27 20:08 - 2017-09-29 21:46 - 000000000 ____D C:\ProgramData\USOPrivate
2017-12-27 20:07 - 2017-11-24 17:28 - 000000000 ____D C:\Users\postgres\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-27 20:07 - 2017-11-24 06:09 - 000000000 ____D C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-12-27 20:01 - 2017-05-23 17:57 - 000972436 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2017-12-27 20:01 - 2017-05-23 17:57 - 000000000 ____D C:\Program Files (x86)\ATI Technologies
2017-12-27 20:00 - 2017-09-29 16:45 - 000000000 ____D C:\WINDOWS\system32\Sysprep
2017-12-27 20:00 - 2016-09-23 18:01 - 000000000 ____D C:\Program Files\Common Files\logishrd
2017-12-27 20:00 - 2016-04-19 05:54 - 000000000 ____D C:\AMD
2017-12-27 19:59 - 2017-05-23 17:56 - 000000000 ____D C:\WINDOWS\SysWOW64\RTCOM
2017-12-27 12:00 - 2014-07-02 21:22 - 000000000 ____D C:\ProgramData\Apple
2017-12-13 17:39 - 2017-10-15 14:02 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-12-13 17:39 - 2014-06-30 03:13 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-12-12 17:54 - 2014-08-05 16:42 - 000000000 ____D C:\Users\Sinsuat\AppData\Roaming\Mozilla
2017-12-10 13:35 - 2017-11-24 06:21 - 000002427 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-10 13:35 - 2017-11-24 06:19 - 000000000 ___RD C:\Users\Administrator\OneDrive
 
==================== Files in the root of some directories =======
 
2012-03-02 23:41 - 2012-03-02 23:41 - 001914000 _____ (Adobe Systems Incorporated) C:\ProgramData\flashax10.exe
2016-10-23 10:43 - 2016-10-23 10:43 - 000000017 _____ () C:\Users\Sinsuat\AppData\Local\resmon.resmoncfg
 
Some files in TEMP:
====================
2018-01-01 17:50 - 2018-01-01 17:50 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-1310942827769966459.dll
2018-01-03 11:49 - 2018-01-03 11:49 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-1448239811945533596.dll
2018-01-04 17:31 - 2018-01-04 17:31 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-2278632190152093174.dll
2018-01-04 11:59 - 2018-01-04 11:59 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-2790068585652414533.dll
2018-01-02 14:37 - 2018-01-02 14:37 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-3161482167492755300.dll
2018-01-02 17:40 - 2018-01-02 17:40 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-3670856638397991884.dll
2018-01-03 17:31 - 2018-01-03 17:31 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-382818164645790928.dll
2017-12-31 19:19 - 2017-12-31 19:19 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-4086090162035770017.dll
2018-01-01 11:41 - 2018-01-01 11:41 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-4955206902456931761.dll
2018-01-01 16:42 - 2018-01-01 16:42 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-5089597513773029869.dll
2017-12-31 19:25 - 2017-12-31 19:25 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-6435266810552703774.dll
2018-01-02 13:32 - 2018-01-02 13:32 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-6618501226793767810.dll
2018-01-02 15:01 - 2018-01-02 15:01 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-6649423418004592462.dll
2018-01-03 19:49 - 2018-01-03 19:49 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-6844509071209804565.dll
2018-01-02 17:24 - 2018-01-02 17:24 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-7902839053848722165.dll
2018-01-02 17:38 - 2018-01-02 17:38 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-8025430580782760344.dll
2017-12-31 20:15 - 2017-12-31 20:15 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-8834322369692908267.dll
2017-12-31 18:58 - 2017-12-31 18:58 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-8935052052392718678.dll
2018-01-01 18:59 - 2018-01-01 18:59 - 000019968 ____N (Red Hat®, Inc.) C:\Users\Sinsuat\AppData\Local\Temp\jansi-64-979947244939144913.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\wininit.exe => MD5 is legit
C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\SysWOW64\explorer.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\SysWOW64\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll
[2017-09-29 21:41] - [2017-09-29 21:41] - 001633744 _____ (Microsoft Corporation) DE25E621D0372403244268CCF8EB5526
 
C:\WINDOWS\SysWOW64\User32.dll
[2017-09-29 21:42] - [2017-09-29 21:42] - 001528904 _____ (Microsoft Corporation) 2A821F9B6DA7034F56012DDF561BEE63
 
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\SysWOW64\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\dnsapi.dll
[2017-09-29 21:41] - [2017-09-29 21:41] - 000738808 _____ (Microsoft Corporation) 30C28923FB3CBC037D5B2972AB428A68
 
C:\WINDOWS\SysWOW64\dnsapi.dll
[2017-09-29 21:42] - [2017-09-29 21:42] - 000597160 _____ (Microsoft Corporation) F877880896DF2AEED8837DF5D29437F2
 
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit
 
LastRegBack: 2018-01-07 10:12
 
==================== End of FRST.txt ============================
 
 
Here is the Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Sinsuat (08-01-2018 13:28:52)
Running from C:\Users\Sinsuat\Desktop
Windows 10 Home Version 1709 16299.15 (X64) (2017-12-27 12:31:00)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3712062798-2683279141-1189575495-500 - Administrator - Enabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-3712062798-2683279141-1189575495-503 - Limited - Disabled)
Guest (S-1-5-21-3712062798-2683279141-1189575495-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3712062798-2683279141-1189575495-1003 - Limited - Enabled)
postgres (S-1-5-21-3712062798-2683279141-1189575495-1005 - Limited - Enabled) => C:\Users\postgres
Sinsuat (S-1-5-21-3712062798-2683279141-1189575495-1001 - Administrator - Enabled) => C:\Users\Sinsuat
WDAGUtilityAccount (S-1-5-21-3712062798-2683279141-1189575495-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.126 - Adobe Systems Incorporated)
AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
AMD Catalyst Install Manager (HKLM\...\{AD2C4469-ACD9-4E78-91DE-A6BF6459959A}) (Version: 3.0.842.0 - Advanced Micro Devices, Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Canon iP2700 series Printer Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP2700_series) (Version:  - )
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version:  - )
Canon Solution Menu EX (HKLM-x32\...\CanonSolutionMenuEX) (Version:  - )
CanoScan LiDE 210 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_cnq4809) (Version:  - )
Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.4.12263.1 - Cisco Consumer Products LLC)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
DB Browser for SQLite (HKLM-x32\...\SqliteBrowser3) (Version: 3.4.0 - oldsch00l)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.0.2.1 - Genesys Logic)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.84 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{ECF2E224-42F5-4E50-B58E-94CA70E85697}) (Version: 7.3.0.3832 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1118 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.4229 - Intel Corporation)
Java 8 Update 151 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
Java 8 Update 151 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LeapFrog Connect (HKLM-x32\...\{5B0F473D-7E18-477F-99DC-3745D5A711E9}) (Version: 7.0.6.19846 - LeapFrog) Hidden
LeapFrog Connect (HKLM-x32\...\UPCShell) (Version: 7.0.6.19846 - LeapFrog)
LeapFrog LeapReader Plugin (HKLM-x32\...\{53136BA4-AEC5-4695-9A51-7C63B7F32E7C}) (Version: 7.0.6.19846 - LeapFrog) Hidden
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.4.11.0608 - Lenovo)
Lenovo Driver and Application Installation (HKLM-x32\...\{45970CD1-D599-47D4-938F-3E9800D54ED1}) (Version: 5.10.1809 - Lenovo)
Lenovo Dynamic Brightness System (HKLM-x32\...\{D9ED6D06-6002-495E-A7BC-46E6AE386996}) (Version: 4.0.00.22080 - Lenovo)
Lenovo Eye Distance System (HKLM-x32\...\{5183D7AB-D09B-411F-A74E-BBAEA61C6505}) (Version: 4.0.00.21090 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.) Hidden
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.)
Lenovo Rescue System (HKLM\...\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.) Hidden
Lenovo Rescue System (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.)
Lenovo Screensaver (HKLM-x32\...\{803E6DED-5050-4E3D-B26A-5915397362CD}) (Version: 1.0.5.110104 - Lenovo)
LVT (HKLM-x32\...\{D3063097-EC84-4D21-84A4-9D852E974355}) (Version: 4.1.2.0919 - Lenovo)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Mesh Runtime (HKLM-x32\...\{8C6D6116-B724-4810-8F2D-D047E6B7D68E}) (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
Mozilla Firefox 31.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-GB)) (Version: 31.0 - Mozilla)
Mozilla Firefox 57.0.3 (x64 en-GB) (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\Mozilla Firefox 57.0.3 (x64 en-GB)) (Version: 57.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
Need for Speed™ Hot Pursuit (HKLM-x32\...\{83A606F5-BF6F-42ED-9F33-B9F74297CDED}) (Version: 1.0.0.0 - Electronic Arts)
OBS Studio (HKLM-x32\...\OBS Studio) (Version: 20.1.3 - OBS Project)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
PostgreSQL 9.5  (HKLM\...\PostgreSQL 9.5) (Version: 9.5 - PostgreSQL Global Development Group)
Quik (HKLM\...\{D6D98E38-D75D-4E9C-916E-F68ED43A1F2F}) (Version: 0.1.290 - GoPro, Inc.) Hidden
Quik (HKLM-x32\...\{ed4c22dc-8424-496a-8732-a71d56b4b1cd}) (Version: 2.5.0.290 - GoPro, Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6230 - Realtek Semiconductor Corp.)
Roblox Player for Sinsuat (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - Roblox Corporation)
ROBLOX Studio for Sinsuat (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\{2922D6F1-2865-4EFA-97A9-94EEAB3AFA14}) (Version:  - ROBLOX Corporation)
Samsung Kies (HKLM-x32\...\{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.4.16113.3 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.4.16113.3 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (HKLM-x32\...\{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.16084.2 - Samsung Electronics Co., Ltd.) Hidden
Samsung Kies3 (HKLM-x32\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.16084.2 - Samsung Electronics Co., Ltd.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.61.0 - Samsung Electronics Co., Ltd.)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.33 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.33.105 - Skype Technologies S.A.)
Transformers Rise of the Dark Spark (HKLM-x32\...\Transformers Rise of the Dark Spark_is1) (Version: 1.0.0.0 - Activision)
Unity Web Player (HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\...\UnityWebPlayer) (Version: 5.0.3f2 - Unity Technologies ApS)
Use the entry named LeapFrog Connect to uninstall (LeapFrog LeapReader Plugin) (HKLM-x32\...\LeapReaderPlugin) (Version:  - LeapFrog)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll [2017-03-19] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll [2017-03-19] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\ShellExt.dll [2017-03-19] (Microsoft Corporation)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2015-11-04] (Advanced Micro Devices, Inc.)
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0809EC5A-4E4D-4240-A68E-F837EE4491D6} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {0E893A81-D255-40F5-86E0-A55F92E34D2A} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {0F432E96-E0AA-452A-98F8-24D8FCB2F311} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {0F4596CB-DA76-4AD7-96F0-CD4846800D85} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {0FAB990D-AA25-4673-9594-1CA31A8826AB} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {1C318FCE-5646-45CA-89A4-E91EA7C0DFFC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {1CCDC358-13DE-4B3C-B07A-39010AEF2F7D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {26D226DF-5C1B-45C6-ABFD-41FDB73F5510} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {26D794D9-A253-407D-BC03-CA5960232718} - System32\Tasks\S-1-5-21-3712062798-2683279141-1189575495-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-09-29] (Microsoft Corporation)
Task: {309D248C-2B84-41AA-A82F-2354ADE5990A} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {35811291-D85E-4379-ACCE-D70C0DED39EA} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {3E551DCF-7F2B-49FE-8DE4-3EE168103670} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {471F1EB6-4364-4B5A-8010-AF0C6D1BF61D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5B5E53D6-CF56-436D-816E-CC7B72EEDDB9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {652A7B18-8522-4174-9D0D-060A98890D1C} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {69F66B84-3346-4AE0-8FE7-65FD8AA5E4B2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {73737297-6991-4967-8723-86CCB0953FF8} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {7B816CAA-2BB7-4B14-902E-5C3A4018D9AC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8069869C-7166-4BAB-B3C6-2A40FDF107BC} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {80CE1719-DFC2-4F8D-A77F-3E23355F53A5} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {84C154CB-D0FB-4BDC-BABE-5C1443C14BAC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-01] (Google Inc.)
Task: {86B849BB-0F3F-4CEC-87CA-32C109FC7D9D} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe
Task: {886623AE-AB68-47BE-9FCA-756759D696AA} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {88D1E9D2-4F8E-400D-A6F8-20B29AD16442} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {8A8D66C3-1CDA-4349-B9D5-B3BABEE1C80D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {936A85B3-F0C3-488E-9439-E7073486239E} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {958D8EEF-2DDD-43BA-AE4F-2C2F430AB93F} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {9B2BB8DC-37D0-4D27-A13D-FECC5C8DF95C} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-12-13] (Adobe Systems Incorporated)
Task: {9D4610C9-BBC6-420D-B733-EBA6C97829E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {9DFB3703-D980-4AD9-A23C-4D5419B2DA07} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {A0C7CABC-83D8-489C-8A32-BC2123D0CF6F} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {A644ABBB-BABF-4A76-95E2-2FEA3B1E16E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {AFEB6689-2102-4A38-8D1E-A74CEDB202CF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-09-01] (Google Inc.)
Task: {AFEF37D8-E244-4B70-809E-959E70048DD8} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => C:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {B0741D0A-36CF-44C8-886F-345DF08A7184} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {B7909524-1129-4A7E-8C7E-126B4C0AA90E} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {BF3AE510-DE7A-41EC-98ED-F94D9F3A4D8C} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {BFE6F55D-39C4-4AD9-9D7C-2E1D42514C8B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {C0CDB664-BE6A-4AE0-8E87-9D4D1E6DB74B} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {C146D59A-232E-4F59-BCAF-795BBB1277C6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {CA52AEE6-992F-436A-97E9-E5706180714C} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {CAF1515A-53CD-42C9-8CB5-F04EBC3A8E42} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {D315F9D9-5D8C-4BEE-834E-624B207EC613} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {E34F1157-850F-4A25-92DC-C2DD73EA7101} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {E68D3A09-FCD9-4567-9842-AF65614DD5A9} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {F24BEE43-72ED-4888-8146-12E1B2B7FE9B} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {F355317E-9B19-4F85-80E5-3669102E74FD} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {F9B04097-600A-47FC-9B56-B8C3599A40C4} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2012-03-02 23:07 - 2011-03-16 12:47 - 000032768 _____ () C:\Windows\jmesoft\Service.exe
2017-12-30 08:26 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-12-30 08:26 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-11-24 17:26 - 2016-08-09 13:13 - 000183296 _____ () C:\Program Files\PostgreSQL\9.5\bin\LIBPQ.dll
2017-11-24 17:27 - 2016-07-27 16:08 - 002264576 _____ () C:\Program Files\PostgreSQL\9.5\bin\libxml2.dll
2017-09-26 18:50 - 2017-09-26 18:50 - 000038328 _____ () C:\Program Files\GoPro\GoPro Desktop App\GoProDeviceDetection.exe
2017-09-29 21:41 - 2017-09-29 21:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-09-29 21:42 - 2017-09-29 22:43 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-09-29 21:42 - 2017-09-29 22:43 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2012-03-02 23:08 - 2011-05-25 20:09 - 000049152 _____ () C:\Windows\SysWOW64\UMonit.exe
2012-03-02 23:07 - 2011-05-18 05:54 - 000024576 _____ () C:\Windows\jmesoft\JME_LOAD.exe
2018-01-03 11:45 - 2018-01-03 11:48 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.257.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-01-03 11:45 - 2018-01-03 11:48 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.257.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-01-03 11:44 - 2018-01-03 11:47 - 026507776 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.13411.0_x64__8wekyb3d8bbwe\Video.UI.exe
2018-01-03 11:44 - 2018-01-03 11:45 - 008370176 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.13411.0_x64__8wekyb3d8bbwe\EntCommon.dll
2017-09-27 13:28 - 2017-09-27 13:29 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17112.13411.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-14 15:15 - 2017-12-14 15:17 - 035244544 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17086.24711.0_x64__8wekyb3d8bbwe\Music.UI.exe
2017-12-14 15:15 - 2017-12-14 15:17 - 009220608 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17086.24711.0_x64__8wekyb3d8bbwe\EntCommon.dll
2017-08-23 16:21 - 2017-08-23 16:23 - 000957952 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17086.24711.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl.UI.Xaml.dll
2017-09-27 13:28 - 2017-09-27 13:29 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17086.24711.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-14 15:15 - 2017-12-14 15:17 - 013224960 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.17086.24711.0_x64__8wekyb3d8bbwe\Music.Visuals.dll
2017-12-06 14:15 - 2017-12-06 14:16 - 004698848 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 000477184 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2017-12-14 15:15 - 2017-12-14 15:21 - 058590720 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2017-10-01 08:26 - 2017-10-01 08:30 - 002523136 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\UnityEngineDelegates.dll
2017-11-14 11:52 - 2017-11-14 12:09 - 000164864 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\VideoPlugin.dll
2017-10-01 08:26 - 2017-10-01 08:28 - 000675328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\IPPNativePlugin.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 003727360 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\MediaEngineCSWrapper.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 002270720 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\TrackingDLLUWP.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 016395264 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\PhotosApp.Windows.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 003579904 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\MediaEngine.dll
2017-12-14 15:15 - 2017-12-14 15:19 - 003204096 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\AppCore.Windows.dll
2017-08-29 17:22 - 2017-08-29 17:22 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 000043520 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.Edit.Services.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 004038144 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.People.PeoplePicker.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 001367040 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.Controls.dll
2017-12-14 15:15 - 2017-12-14 15:21 - 000214528 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\SKU.dll
2017-12-15 11:34 - 2017-12-06 12:24 - 004063064 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.84\libglesv2.dll
2017-12-15 11:34 - 2017-12-06 12:24 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\63.0.3239.84\libegl.dll
2017-12-06 14:15 - 2017-12-06 14:16 - 000061952 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\WinStoreTasksWrapper.dll
2017-12-08 14:13 - 2017-12-08 14:13 - 000102088 _____ () C:\Users\Sinsuat\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\UpdateRingSettings.dll
2012-03-02 23:07 - 2011-05-18 05:27 - 000028672 _____ () C:\Windows\jmesoft\hidhook.dll
2012-03-02 23:40 - 2010-09-10 03:19 - 000210432 _____ () C:\Program Files\Lenovo\Lenovo Eye Distance System\KeyStoneAdapter.dll
2012-03-02 23:40 - 2010-09-10 03:18 - 000211456 _____ () C:\Program Files\Lenovo\Lenovo Eye Distance System\VideoPlayer.dll
2012-03-02 23:40 - 2010-09-21 02:08 - 000210432 _____ () C:\Program Files\Lenovo\Lenovo Brightness System\KeyStoneAdapter.dll
2012-03-02 23:40 - 2010-09-21 10:55 - 000182272 _____ () C:\Program Files\Lenovo\Lenovo Brightness System\DDCHelperWraper.dll
2009-12-05 08:59 - 2009-12-05 08:59 - 000619816 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMediaLibrary.dll
2009-12-05 09:04 - 2009-12-05 09:04 - 000013096 _____ () C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvcPS.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 10:34 - 2009-06-11 05:00 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img13.jpg
HKU\S-1-5-21-3712062798-2683279141-1189575495-1005\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Monitor"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{1886CCD4-6E56-40BA-A241-FEA3567D4C1C}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [UDP Query User{EC04F5D1-0810-4273-A9F5-EB43D7D37AA3}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\resolve.exe
FirewallRules: [TCP Query User{8160CF9C-D079-45D4-B311-28C7E2A84954}C:\program files\blackmagic design\davinci resolve\resolve.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\resolve.exe
FirewallRules: [UDP Query User{E9971126-376F-45D1-8D80-91D659860130}C:\program files\blackmagic design\davinci resolve\dpdecoder.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\dpdecoder.exe
FirewallRules: [TCP Query User{3D2B5BA6-0820-48BB-BD8C-7996448C7698}C:\program files\blackmagic design\davinci resolve\dpdecoder.exe] => (Allow) C:\program files\blackmagic design\davinci resolve\dpdecoder.exe
FirewallRules: [{9DAEB865-0707-4405-82E5-8438C5EE14B1}] => (Allow) C:\ProgramData\Blackmagic Design\DaVinci Resolve\Support\QtDecoder\QTDecoder.exe
FirewallRules: [{D6DABDBF-8753-4B14-ABC6-50B2A057B840}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DPDecoder.exe
FirewallRules: [{AB08A435-FE3A-4A54-8D20-82C2D5A147D2}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\OxygenPanelDaemon.exe
FirewallRules: [{C1F3E45F-971B-44D4-A46B-6AD4BC4EC304}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\ElementsPanelDaemon.exe
FirewallRules: [{72B9210F-2D52-4A9F-8AB5-0B1869F37A74}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\TangentPanelDaemon.exe
FirewallRules: [{5DDC62D2-5FAC-4857-AC5C-3306C8E6369C}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\EuphonixPanelDaemon.exe
FirewallRules: [{2B5DD3E4-CD79-4B9F-A1F3-B784B7881279}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\JLCooperPanelDaemon.exe
FirewallRules: [{41D9D613-BAB4-46AA-9550-0C86723A8C06}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\DaVinciPanelDaemon.exe
FirewallRules: [{BE845F0C-478E-4C5A-AFB6-1A3B8F04359E}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\bmdpaneld.exe
FirewallRules: [{3B8BA633-8CB5-4F95-9452-96B3DC67FEDA}] => (Allow) C:\Program Files\Blackmagic Design\DaVinci Resolve\Resolve.exe
FirewallRules: [{422A08B9-F4E8-420C-89C3-BE4BDBE0E631}] => (Block) C:\program files\openshot video editor\launch.exe
FirewallRules: [{58879822-5C22-4605-8729-3E6AD7660643}] => (Block) C:\program files\openshot video editor\launch.exe
FirewallRules: [UDP Query User{BC157CDA-67BF-4C92-BF60-DCFAE23A7003}C:\program files\openshot video editor\launch.exe] => (Allow) C:\program files\openshot video editor\launch.exe
FirewallRules: [TCP Query User{73AEC0E8-50F7-453B-9DB9-5AA63463ED6E}C:\program files\openshot video editor\launch.exe] => (Allow) C:\program files\openshot video editor\launch.exe
FirewallRules: [{CA0CB563-3232-4941-B0B6-3A80EEFEEE23}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoProLauncher.exe
FirewallRules: [{7C9C1212-3D60-483C-AA6C-1D016F58FF63}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoProIDService.exe
FirewallRules: [{5521C995-05E1-41A6-8F51-E02044726D36}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoProMsgBus.exe
FirewallRules: [{58296D20-4257-4460-9767-416834E76A02}] => (Allow) C:\Program Files\GoPro\GoPro Desktop App\GoPro Quik.exe
FirewallRules: [UDP Query User{4D57B112-E968-43A7-BB05-1151E9B32E98}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [TCP Query User{0B256E1A-A3A9-497B-9478-21A90C12F919}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [{4682A11F-0244-428A-B282-6D976BDD8B8D}] => (Block) D:\firefox\firefox.exe
FirewallRules: [{6B413557-4BF2-429E-85DC-C40C3F693208}] => (Block) D:\firefox\firefox.exe
FirewallRules: [UDP Query User{2DFC10E7-AA8C-4B08-A67A-E61C59BA6086}D:\firefox\firefox.exe] => (Allow) D:\firefox\firefox.exe
FirewallRules: [TCP Query User{C959EC5B-87E7-44DD-98DF-B3F83767FD13}D:\firefox\firefox.exe] => (Allow) D:\firefox\firefox.exe
FirewallRules: [UDP Query User{3332C4EF-C98E-4034-B235-98791F0B88BC}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [TCP Query User{FD273EFB-7F39-45C3-AAC7-5CF4F8EFCE1C}C:\program files\java\jre1.8.0_91\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [{1C7361DF-CF5C-4F47-8D6D-BAB38255FA1A}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{F4B81348-DDEB-4655-B30E-0E117B0E1A84}] => (Allow) LPort=2869
FirewallRules: [{848DCB7B-C005-44BC-8651-7FDB1E839EAA}] => (Allow) LPort=1900
FirewallRules: [{7CDEC7C0-AAFB-4BA9-AB92-5266B1B15D72}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{1FB079F7-9EB8-49AF-ADE1-32CE101D755E}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{145859B9-0C72-41F0-A02C-1B5D13C11092}] => (Allow) D:\skype\Phone\Skype.exe
FirewallRules: [{7381FD8D-3607-4B82-841F-30730444DD00}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{F6F31248-142F-45B0-8CA6-A1DA83E8293A}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{D5D24FEF-2725-4184-9549-662EE16CD9C6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{BE8E5770-2A25-4A8F-B357-1F25F17F737C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{6C7E2FB5-36C2-48C8-8F0A-AADFCE228B5D}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [UDP Query User{CD89657D-FE66-471A-857D-FADDB745B4A4}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [{DC9FCA70-D5F4-43C3-A010-4050CE1129E8}] => (Allow) D:\D my documents\Launcher.exe
FirewallRules: [{30F04F13-DB3C-4B3D-8BB0-5AD059E21AFA}] => (Allow) D:\D my documents\Launcher.exe
FirewallRules: [TCP Query User{1640EC66-D6DA-47A3-BB1C-F6184A2D3B8E}D:\d my documents\nfs11.exe] => (Block) D:\d my documents\nfs11.exe
FirewallRules: [UDP Query User{5A894639-A59E-4953-909B-B3D9026B276B}D:\d my documents\nfs11.exe] => (Block) D:\d my documents\nfs11.exe
FirewallRules: [TCP Query User{2D4707B8-798C-4620-8104-23D083B4480C}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [UDP Query User{C08DBF6E-E39D-4230-A035-289E8E1CFD57}D:\transformers rise of the dark spark\binaries\transgame.exe] => (Block) D:\transformers rise of the dark spark\binaries\transgame.exe
FirewallRules: [{701B640D-C230-439C-BC2C-8A52A1A03323}] => (Allow) D:\leapfrog\LeapFrog Connect\LeapfrogConnect.exe
FirewallRules: [{77C7860A-03E6-45B2-A54C-6513403DEB94}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{50CDC316-7C8D-4601-B901-0927163A18BF}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{0F988BEA-E7F8-4646-BD0B-98BA22B875DB}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{62E8D04A-1C97-4A9A-828E-FBD7C4A51291}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{9A17D3CE-B76A-4D24-9714-D5EF4B3E1D0B}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{3FE2B457-1443-437D-93F9-6B49D196DDF5}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{D8D30CF4-9A5D-4E14-9479-25677043104A}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{9682CC6E-54C8-48F2-AE91-7FA003E54B03}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [TCP Query User{6F0D0A53-F8E8-4A65-82C8-BF25B6D53626}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{FE5ED642-49C7-49FB-8CCD-41B95DF32FEC}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [{53095523-EFFB-49EE-A22B-318871C5F816}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{84009C6B-F803-49B8-B814-5DBCCF0052DA}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{20FCC5C2-5F71-4910-95D2-26497F4FCE2B}D:\vlc\vlc.exe] => (Allow) D:\vlc\vlc.exe
FirewallRules: [UDP Query User{CCC3E1D4-ED0C-4AB2-B137-2B755A9DCC4E}D:\vlc\vlc.exe] => (Allow) D:\vlc\vlc.exe
FirewallRules: [TCP Query User{D701D5E5-52EB-4421-AF39-45CE938478CA}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{A7C6614E-CB54-48FC-8910-B26EA7942EAE}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Block) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/08/2018 01:24:25 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
 
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
 
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
 
Additional Data
Error value: C0000102
Disk type: 3
 
Error: (01/08/2018 01:24:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.16299.15, time stamp: 0x9c786b9a
Faulting module name: bcryptPrimitives.dll, version: 10.0.16299.15, time stamp: 0x7c009630
Exception code: 0xc0000006
Fault offset: 0x000000000001723a
Faulting process id: 0x3014
Faulting application start time: 0x01d38840f276eaa7
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: 36e023be-3f4e-4a30-b774-5e25ec95c5c8
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/08/2018 01:24:15 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
 
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
 
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
 
Additional Data
Error value: C0000102
Disk type: 3
 
Error: (01/08/2018 01:24:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.16299.15, time stamp: 0x9c786b9a
Faulting module name: bcryptPrimitives.dll, version: 10.0.16299.15, time stamp: 0x7c009630
Exception code: 0xc0000006
Fault offset: 0x000000000001723a
Faulting process id: 0x1814
Faulting application start time: 0x01d38840ec122a7e
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: eefb30b4-32cb-4284-a1a7-bf754944c2ff
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/08/2018 11:57:43 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: firefox.exe, version: 57.0.3.6569, time stamp: 0x5a421d09
Faulting module name: shcore.dll, version: 10.0.16299.15, time stamp: 0x6c07e48f
Exception code: 0xc0000005
Fault offset: 0x0000000000036c7a
Faulting process id: 0x29d4
Faulting application start time: 0x01d38834d4d7e01e
Faulting application path: D:\firefox\firefox.exe
Faulting module path: C:\WINDOWS\System32\shcore.dll
Report Id: 81bf8e83-73b0-4e7f-af51-b97e606f8c63
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/08/2018 11:46:38 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
 
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
 
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
 
Additional Data
Error value: C0000102
Disk type: 3
 
Error: (01/08/2018 11:46:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.16299.15, time stamp: 0x9c786b9a
Faulting module name: bcryptPrimitives.dll, version: 10.0.16299.15, time stamp: 0x7c009630
Exception code: 0xc0000006
Fault offset: 0x000000000001723a
Faulting process id: 0x334c
Faulting application start time: 0x01d3883348a5165c
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: ada3f465-b758-4cfb-acfa-e8fcb12d7520
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/08/2018 11:41:28 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
 
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
 
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
 
Additional Data
Error value: C0000102
Disk type: 3
 
Error: (01/08/2018 11:41:28 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_CryptSvc, version: 10.0.16299.15, time stamp: 0x9c786b9a
Faulting module name: bcryptPrimitives.dll, version: 10.0.16299.15, time stamp: 0x7c009630
Exception code: 0xc0000006
Fault offset: 0x000000000001723a
Faulting process id: 0x3388
Faulting application start time: 0x01d388329034947a
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: c1ed4404-b1c7-466c-a313-e30c959c0d62
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/08/2018 11:41:25 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.
 
Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_33_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.1.cat
 
The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
- It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.
 
Additional Data
Error value: C0000102
Disk type: 3
 
 
System errors:
=============
Error: (01/08/2018 01:24:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 17 time(s).
 
Error: (01/08/2018 01:24:16 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 16 time(s).
 
Error: (01/08/2018 01:22:00 PM) (Source: DCOM) (EventID: 10016) (User: Sinsuat-PC)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user Sinsuat-PC\Sinsuat SID (S-1-5-21-3712062798-2683279141-1189575495-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (01/08/2018 12:14:25 PM) (Source: DCOM) (EventID: 10010) (User: Sinsuat-PC)
Description: The server Microsoft.MicrosoftEdge_41.16299.15.0_neutral__8wekyb3d8bbwe!ContentProcess did not register with DCOM within the required timeout.
 
Error: (01/08/2018 11:46:45 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706ba: Update for Windows 10 Version 1709 for x64-based Systems (KB4058043).
 
Error: (01/08/2018 11:46:45 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x800706be: 2017-12 Security Update for Adobe Flash Player for Windows 10 Version 1709 for x64-based Systems (KB4053577).
 
Error: (01/08/2018 11:46:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 15 time(s).
 
Error: (01/08/2018 11:41:29 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 14 time(s).
 
Error: (01/08/2018 11:41:26 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 13 time(s).
 
Error: (01/08/2018 11:41:03 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Cryptographic Services service terminated unexpectedly.  It has done this 12 time(s).
 
 
CodeIntegrity:
===================================
  Date: 2018-01-08 13:23:02.314
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2018-01-08 13:23:02.214
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2018-01-08 13:21:57.037
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2018-01-08 13:21:56.684
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2018-01-08 13:21:56.446
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2018-01-08 13:21:56.206
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae64.dll that did not meet the Store signing level requirements.
 
  Date: 2018-01-08 13:10:24.604
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2018-01-08 13:10:24.554
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2018-01-08 12:55:22.162
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
  Date: 2018-01-08 12:55:22.104
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-2320 CPU @ 3.00GHz
Percentage of memory in use: 58%
Total physical RAM: 4078.45 MB
Available physical RAM: 1708.55 MB
Total Virtual: 8174.45 MB
Available Virtual: 4943.88 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:97.66 GB) (Free:12.39 GB) NTFS
Drive d: () (Fixed) (Total:342.93 GB) (Free:86.43 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 54BCC2DE)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=342.9 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=25.1 GB) - (Type=12)
 
==================== End of Addition.txt ============================
 
 
Many thanks for your continued assistance.


#11 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 08 January 2018 - 04:35 PM

Hi,

 

I see that Windows updated to the latest version but some little problems continue!

 

Before working on fix them I need you to enable System Restore be following this guide: http://www.thewindowsclub.com/system-restore-disabled-turn-on-system-restore-windows

 

Let me know if you have any problem enabling System Restore or get any system error.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#12 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 09 January 2018 - 12:35 AM

Hi SleepyDude,

 

Yes the windows updated to the latest version after you started supporting me with all this. Thank you for that.

I have enabled System Restore after following the link and created another restore point as the link suggested. No problems enabling it. 



#13 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 09 January 2018 - 08:43 AM

Hi,
 
You are welcome. Lets do some fixing...
 
 
Farbar Recovery Scanner Fix

!!! WARNING !!! The following fix is only relevant for this system and no other, running the script on another computer will not work and may cause problems...

  • Open Notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy.)
  • Right-click in the open Notepad and select Paste.
  • Save it on the Desktop as fixlist.txt
    (It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work!)

    Start::
    CloseProcesses:
    CreateRestorePoint:
    Toolbar: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
    U3 idsvc; no ImagePath
    Task: {0F4596CB-DA76-4AD7-96F0-CD4846800D85} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
    Task: {1C318FCE-5646-45CA-89A4-E91EA7C0DFFC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {1CCDC358-13DE-4B3C-B07A-39010AEF2F7D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {26D226DF-5C1B-45C6-ABFD-41FDB73F5510} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {471F1EB6-4364-4B5A-8010-AF0C6D1BF61D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {5B5E53D6-CF56-436D-816E-CC7B72EEDDB9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {652A7B18-8522-4174-9D0D-060A98890D1C} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    Task: {69F66B84-3346-4AE0-8FE7-65FD8AA5E4B2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {7B816CAA-2BB7-4B14-902E-5C3A4018D9AC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {8A8D66C3-1CDA-4349-B9D5-B3BABEE1C80D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
    Task: {9D4610C9-BBC6-420D-B733-EBA6C97829E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {A644ABBB-BABF-4A76-95E2-2FEA3B1E16E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {BFE6F55D-39C4-4AD9-9D7C-2E1D42514C8B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
    Task: {C146D59A-232E-4F59-BCAF-795BBB1277C6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {CAF1515A-53CD-42C9-8CB5-F04EBC3A8E42} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
    cmd: sc query CryptSvc
    StartRegedit:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
    "DisplayName"="@%SystemRoot%\\system32\\cryptsvc.dll,-1001"
    "ErrorControl"=dword:00000001
    "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
      74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
      00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
      6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
      00,69,00,63,00,65,00,00,00
    "Start"=dword:00000002
    "Type"=dword:00000020
    "Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
    "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
    "ObjectName"="NT Authority\\NetworkService"
    "ServiceSidType"=dword:00000001
    "RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
      00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
      67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
      00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
      65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
      00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
      00,00
    "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
      00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters]
    "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
      00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
      63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
      00
    "ServiceDllUnloadOnStop"=dword:00000001
    "ServiceMain"="CryptServiceMain"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security]
    "Security"=hex:01,00,04,80,a0,00,00,00,ac,00,00,00,00,00,00,00,14,00,00,00,02,\
      00,8c,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,\
      00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
      00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,14,00,\
      8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,18,00,fd,01,02,00,01,\
      02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,18,00,8d,00,02,00,01,02,\
      00,00,00,00,00,0f,02,00,00,00,01,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
      00,01,01,00,00,00,00,00,05,12,00,00,00
    EndRegedit:
    EmptyTemp:
    End::

  • Run FRST/FRST64 and press the Fix button just once and Wait. After the fix the system needs to restart if the tool does not request it please Restart the computer.
  • The tool will make a log (Fixlog.txt) on the same location as FRST/FRST64 please post it in your next reply.
  • Restart the Computer

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#14 byallmeans

byallmeans
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 10 January 2018 - 03:19 AM

Hi SleepyDude,

 

I followed your instructions. Here is the Fixlog.txt report:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Sinsuat (10-01-2018 16:06:33) Run:1
Running from C:\Users\Sinsuat\Desktop
Loaded Profiles: Sinsuat & postgres (Available Profiles: Sinsuat & postgres & Administrator & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
Toolbar: HKU\S-1-5-21-3712062798-2683279141-1189575495-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
U3 idsvc; no ImagePath
Task: {0F4596CB-DA76-4AD7-96F0-CD4846800D85} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {1C318FCE-5646-45CA-89A4-E91EA7C0DFFC} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {1CCDC358-13DE-4B3C-B07A-39010AEF2F7D} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {26D226DF-5C1B-45C6-ABFD-41FDB73F5510} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {471F1EB6-4364-4B5A-8010-AF0C6D1BF61D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {5B5E53D6-CF56-436D-816E-CC7B72EEDDB9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {652A7B18-8522-4174-9D0D-060A98890D1C} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {69F66B84-3346-4AE0-8FE7-65FD8AA5E4B2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {7B816CAA-2BB7-4B14-902E-5C3A4018D9AC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8A8D66C3-1CDA-4349-B9D5-B3BABEE1C80D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {9D4610C9-BBC6-420D-B733-EBA6C97829E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A644ABBB-BABF-4A76-95E2-2FEA3B1E16E1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {BFE6F55D-39C4-4AD9-9D7C-2E1D42514C8B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {C146D59A-232E-4F59-BCAF-795BBB1277C6} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {CAF1515A-53CD-42C9-8CB5-F04EBC3A8E42} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
cmd: sc query CryptSvc
StartRegedit:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"DisplayName"="@%SystemRoot%\\system32\\cryptsvc.dll,-1001"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,00,00
"Start"=dword:00000002
"Type"=dword:00000020
"Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ObjectName"="NT Authority\\NetworkService"
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
  00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
  00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
  00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceMain"="CryptServiceMain"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security]
"Security"=hex:01,00,04,80,a0,00,00,00,ac,00,00,00,00,00,00,00,14,00,00,00,02,\
  00,8c,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,\
  00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
  00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,14,00,\
  8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,18,00,fd,01,02,00,01,\
  02,00,00,00,00,00,05,20,00,00,00,25,02,00,00,00,00,18,00,8d,00,02,00,01,02,\
  00,00,00,00,00,0f,02,00,00,00,01,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00
EndRegedit:
EmptyTemp:
 
*****************
 
Processes closed successfully.
Restore point was successfully created.
"HKU\S-1-5-21-3712062798-2683279141-1189575495-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => removed successfully
HKLM\Software\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found
"HKLM\System\CurrentControlSet\Services\idsvc" => removed successfully
idsvc => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0F4596CB-DA76-4AD7-96F0-CD4846800D85} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F4596CB-DA76-4AD7-96F0-CD4846800D85}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C318FCE-5646-45CA-89A4-E91EA7C0DFFC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C318FCE-5646-45CA-89A4-E91EA7C0DFFC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1CCDC358-13DE-4B3C-B07A-39010AEF2F7D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1CCDC358-13DE-4B3C-B07A-39010AEF2F7D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{26D226DF-5C1B-45C6-ABFD-41FDB73F5510}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D226DF-5C1B-45C6-ABFD-41FDB73F5510}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{471F1EB6-4364-4B5A-8010-AF0C6D1BF61D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{471F1EB6-4364-4B5A-8010-AF0C6D1BF61D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5B5E53D6-CF56-436D-816E-CC7B72EEDDB9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B5E53D6-CF56-436D-816E-CC7B72EEDDB9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{652A7B18-8522-4174-9D0D-060A98890D1C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{652A7B18-8522-4174-9D0D-060A98890D1C}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{69F66B84-3346-4AE0-8FE7-65FD8AA5E4B2}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{69F66B84-3346-4AE0-8FE7-65FD8AA5E4B2}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7B816CAA-2BB7-4B14-902E-5C3A4018D9AC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B816CAA-2BB7-4B14-902E-5C3A4018D9AC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8A8D66C3-1CDA-4349-B9D5-B3BABEE1C80D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8A8D66C3-1CDA-4349-B9D5-B3BABEE1C80D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9D4610C9-BBC6-420D-B733-EBA6C97829E1}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D4610C9-BBC6-420D-B733-EBA6C97829E1}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A644ABBB-BABF-4A76-95E2-2FEA3B1E16E1}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A644ABBB-BABF-4A76-95E2-2FEA3B1E16E1}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BFE6F55D-39C4-4AD9-9D7C-2E1D42514C8B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BFE6F55D-39C4-4AD9-9D7C-2E1D42514C8B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C146D59A-232E-4F59-BCAF-795BBB1277C6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C146D59A-232E-4F59-BCAF-795BBB1277C6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CAF1515A-53CD-42C9-8CB5-F04EBC3A8E42}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CAF1515A-53CD-42C9-8CB5-F04EBC3A8E42}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d" => removed successfully
 
========= sc query CryptSvc =========
 
 
SERVICE_NAME: CryptSvc 
        TYPE               : 30  WIN32  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 1067  (0x42b)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
========= End of CMD: =========
 
 
====> Registry
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15938105 B
Java, Flash, Steam htmlcache => 63919915 B
Windows/system/drivers => 2510893 B
Edge => 4761 B
Chrome => 636133913 B
Firefox => 386822650 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 14257942 B
Sinsuat => 603633159 B
postgres => 6656 B
Administrator => 10548 B
DefaultAppPool => 6656 B
 
RecycleBin => 7279804156 B
EmptyTemp: => 8.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 16:09:35 ====
 
 
Many thanks


#15 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,076 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:02:34 PM

Posted 10 January 2018 - 04:24 AM

Hi,

Thank you for the log. Let me check the fix result...
  • open the Command Prompt as Administrator (Tutorial)
  • type the command:
    sc query CryptSvc
Copy & Paste the result to your post.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users